-
Notifications
You must be signed in to change notification settings - Fork 2
/
vaultauth_types.go
97 lines (73 loc) · 5.87 KB
/
vaultauth_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// AuthConfig for setting TTL
type AuthConfig struct {
DefaultLeaseTTL int64 `json:"defaultLeaseTTL,omitempty" yaml:"defaultLeaseTTL,omitempty" vault:"default_lease_ttl"`
MaxLeaseTTL int64 `json:"maxLeaseTTL,omitempty" yaml:"maxLeaseTTL,omitempty" vault:"max_lease_ttl"`
}
// JWTAuthConfig is config for JWT
type JWTAuthConfig struct {
// OIDCDiscoveryURL oidc_discovery_url (string: <optional>) - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with "jwks_url" or "jwt_validation_pubkeys".
OIDCDiscoveryURL string `json:"oidcDiscoveryURL,omitempty" yaml:"oidcDiscoveryURL,omitempty" vault:"oidc_discovery_url,omitempty"`
// OIDCDiscoveryCAPem oidc_discovery_ca_pem (string: <optional>) - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used.
OIDCDiscoveryCAPem string `json:"oidcDiscoveryCAPem,omitempty" yaml:"oidcDiscoveryCAPem,omitempty" vault:"oidc_discovery_ca_pem,omitempty"`
// OIDCClientID oidc_client_id (string: <optional>) - The OAuth Client ID from the provider for OIDC roles.
OIDCClientID string `json:"oidcClientID,omitempty" yaml:"oidcClientID,omitempty" vault:"oidc_client_id,omitempty"`
// OIDCClientSecret oidc_client_secret (string: <optional>) - The OAuth Client Secret from the provider for OIDC roles.
OIDCClientSecret string `json:"oidcClientSecret,omitempty" yaml:"oidcClientSecret,omitempty" vault:"oidc_client_secret,omitempty"`
// OIDCResponseMode oidc_response_mode (string: <optional>) - The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". Defaults to "query".
OIDCResponseMode string `json:"oidcResponseMode,omitempty" yaml:"oidcResponseMode,omitempty" vault:"oidc_response_mode,omitempty"`
// OIDCResponseTypes oidc_response_types (comma-separated string, or array of strings: <optional>) - The response types to request. Allowed values are "code" and "id_token". Defaults to "code". Note: "id_token" may only be used if "oidc_response_mode" is set to "form_post".
OIDCResponseTypes string `json:"oidcResponseTypes,omitempty" yaml:"oidcResponseTypes,omitempty" vault:"oidc_response_types,omitempty"`
// JWKSURL jwks_url (string: <optional>) - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
JWKSURL string `json:"JWKSURL,omitempty" yaml:"JWKSURL,omitempty" vault:"jwks_url,omitempty"`
// JWKSCAPem jwks_ca_pem (string: <optional>) - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JWKSCAPem string `json:"JWKSCAPem,omitempty" yaml:"JWKSCAPem,omitempty" vault:"jwks_ca_pem,omitempty"`
// JWTValidationPubkeys jwt_validation_pubkeys (comma-separated string, or array of strings: <optional>) - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "jwks_url" or "oidc_discovery_url".
JWTValidationPubkeys string `json:"jwtValidationPubkeys,omitempty" yaml:"jwtValidationPubkeys,omitempty" vault:"jwt_validation_pubkeys,omitempty"`
// BoundIssuer bound_issuer (string: <optional>) - The value against which to match the iss claim in a JWT.
BoundIssuer string `json:"boundIssuer,omitempty" yaml:"boundIssuer,omitempty" vault:"bound_issuer,omitempty"`
// JWTSupportedAlgs jwt_supported_algs (comma-separated string, or array of strings: <optional>) - A list of supported signing algorithms. Defaults to [RS256]. (Available algorithms + EdDSA)
JWTSupportedAlgs string `json:"jwtSupportedAlgs,omitempty" yaml:"jwtSupportedAlgs,omitempty" vault:"jwt_supported_algs,omitempty"`
// DefaultRole default_role (string: <optional>) - The default role to use if none is provided during login.
DefaultRole string `json:"defaultRole,omitempty" yaml:"defaultRole,omitempty" vault:"default_role,omitempty"`
// ProviderConfig provider_config (map: <optional>) - Configuration options for provider-specific handling. Providers with specific handling include Azure; the options are described in each provider's section in OIDC Provider Setup
ProviderConfig map[string]string `json:"providerConfig,omitempty" yaml:"providerConfig,omitempty" vault:"provider_config,omitempty"`
}
// AuthData is a struct for passing data to vault rest calls
type AuthData struct {
Type string `json:"type" yaml:"type" vault:"type"`
Description string `json:"description" yaml:"description" vault:"description"`
Config AuthConfig `json:"config" yaml:"config" vault:"config"`
}
// VaultAuthSpec spec for auth
// '{"type":"approle","description":"","config":{"options":null,"default_lease_ttl":"0s","max_lease_ttl":"0s","force_no_cache":false},"local":false,"seal_wrap":false,"options":null}' http://127.0.0.1:8200/v1/sys/auth/foo
type VaultAuthSpec struct {
Data AuthData `json:"data,omitempty" yaml:"data,omitempty"`
VaultNamespace string `json:"vaultNamespace,omitempty" yaml:"vaultNamespace,omitempty"`
Path string `json:"path,omitempty" yaml:"path,omitempty"`
JWTConfig JWTAuthConfig `json:"jwtConfig,omitempty" yaml:"jwtConfig,omitempty"`
}
// VaultAuthStatus defines the observed state of VaultAuth
type VaultAuthStatus struct {
}
// +kubebuilder:object:root=true
// VaultAuth is the Schema for the vaultauths API
type VaultAuth struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec VaultAuthSpec `json:"spec,omitempty"`
Status VaultAuthStatus `json:"status,omitempty"`
}
// +kubebuilder:object:root=true
// VaultAuthList contains a list of VaultAuth
type VaultAuthList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []VaultAuth `json:"items"`
}
func init() {
SchemeBuilder.Register(&VaultAuth{}, &VaultAuthList{})
}