From 6a0f285c94969d25ac4bf0fe0bb93e4f575f1e14 Mon Sep 17 00:00:00 2001 From: Armin Schlegel Date: Fri, 7 Jul 2023 12:42:23 +0200 Subject: [PATCH] feat: added helm chart Signed-off-by: Armin Schlegel --- Makefile | 11 + .../provider-natssecrets-helm/Chart.yaml | 22 + .../provider-natssecrets-helm/README.md | 46 + ...ue.natssecrets.crossplane.io_accounts.yaml | 633 +++++++++ ...e.natssecrets.crossplane.io_operators.yaml | 390 ++++++ ...issue.natssecrets.crossplane.io_users.yaml | 472 +++++++ ...secrets.crossplane.io_providerconfigs.yaml | 149 ++ .../templates/_helpers.tpl | 52 + .../templates/controllerconfig.yaml | 11 + .../templates/generate-secret.yaml | 183 +++ .../templates/provider.yaml | 13 + .../templates/providerconfig.yaml | 13 + .../values.yaml.tmpl | 37 + examples/account/account.yaml | 2 +- examples/user/user.yaml | 4 +- makelib/helmoci.mk | 135 ++ ...ue.natssecrets.crossplane.io_accounts.yaml | 1201 +++++++++-------- 17 files changed, 2791 insertions(+), 583 deletions(-) create mode 100644 cluster/charts/provider-natssecrets-helm/Chart.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/README.md create mode 100644 cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_accounts.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_operators.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_users.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/crds/natssecrets.crossplane.io_providerconfigs.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/templates/_helpers.tpl create mode 100644 cluster/charts/provider-natssecrets-helm/templates/controllerconfig.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/templates/generate-secret.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/templates/provider.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/templates/providerconfig.yaml create mode 100644 cluster/charts/provider-natssecrets-helm/values.yaml.tmpl create mode 100644 makelib/helmoci.mk diff --git a/Makefile b/Makefile index fd3d786..8be8739 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,17 @@ PROJECT_REPO := github.com/edgefarm/$(PROJECT_NAME) PLATFORMS ?= linux_amd64 linux_arm64 -include build/makelib/common.mk +# ==================================================================================== +# Setup Helm + +USE_HELM3 = true +HELM3_VERSION = v3.11.1 +HELM_OCI_URL = ghcr.io/edgefarm/provider-natssecrets +HELM_CHARTS = provider-natssecrets-helm + +-include build/makelib/k8s_tools.mk +-include makelib/helmoci.mk + # Setup Output -include build/makelib/output.mk diff --git a/cluster/charts/provider-natssecrets-helm/Chart.yaml b/cluster/charts/provider-natssecrets-helm/Chart.yaml new file mode 100644 index 0000000..733a727 --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +name: provider-natssecrets-helm +description: A Helm chart for provider-natssecrets. Note that you need to have crossplane installed to be able to install this chart. + +type: application +version: 0.1.0 +appVersion: "v0.2.2" + +keywords: + - edgefarm.network + - crossplane + - provider + - crd + - nats + - vault + +sources: + - https://github.com/edgefarm/provider-natssecrets + +maintainers: + - name: Armin Schlegel + email: armin.schlegel@gmx.de diff --git a/cluster/charts/provider-natssecrets-helm/README.md b/cluster/charts/provider-natssecrets-helm/README.md new file mode 100644 index 0000000..8fa5ed3 --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/README.md @@ -0,0 +1,46 @@ +# `provider-natssecrets` Helm Chart + +This Helm chart deploys the `provider-natssecrets` container, which provides a NATS-based secrets provider for Crossplane. + +## Prerequisites + +- A Kubernetes cluster with Crossplane installed +- A Vault instance for storing secrets + +You can customize the installation by creating a values.yaml file and specifying the values you want to change. For more information on the available values, please refer to the values.yaml file in this chart. + +## Configuration + +| Field | Description | Default Value | +| --------- | ---------------------------------------------------------- | ----------------- | +| namespace | Specifies the namespace where the resource will be created | crossplane-system | + +The namespace field in the values.yaml file specifies the namespace where the resource will be created. By default, this is set to crossplane-system. + +### Provider + +The provider section of the values.yaml file specifies the configuration for the provider container. You can specify the image tag, pull policy, number of replicas, and command-line arguments for the container. + +| Field | Description | Default Value | +| ----------------- | ----------------------------------------------------------------------------------------- | ------------- | +| package | The Docker image for the provider container. | N/A | +| tag | The tag for the Docker image. If not specified, the chart's appVersion will be used. | Chart version | +| packagePullPolicy | The pull policy for the Docker image. By default, this is set to IfNotPresent. | IfNotPresent | +| replicas | The number of replicas for the provider container. By default, this is set to 1. | 1 | +| args | The command-line arguments for the provider container. By default, this is an empty list. | [] | + +### Vault + +The vault section of the values.yaml file specifies the configuration for accessing a Vault instance. You can specify the credentials for accessing the Vault instance, including the address, TLS settings, token, and path to the secrets. + +| Field | Description | Default Value | +| ------------------------------------------- | ---------------------------------------------------------------------------------------------- | ---------------------------- | +| credentials.secretRef.name | The name of the Kubernetes secret containing the credentials for accessing the Vault instance. | provider-natssecrets | +| credentials.secretRef.key | The key in the Kubernetes secret containing the credentials for accessing the Vault instance. | credentials | +| credentials.data.address | The address of the Vault instance. | https://vault.vault.svc:8200 | +| credentials.data.tls | Whether to use TLS when connecting to the Vault instance. | true | +| credentials.data.insecure | Whether to skip TLS verification when connecting to the Vault instance. | true | +| credentials.data.token.value | The token for accessing the Vault instance. If not defined, then fromSecret is used. | N/A (must be set by user) | +| credentials.data.token.fromSecret.name | The name of the Kubernetes secret containing the token for accessing the Vault instance. | bank-vaults | +| credentials.data.token.fromSecret.namespace | The namespace of the Kubernetes secret containing the token for accessing the Vault instance. | vault | +| credentials.data.token.fromSecret.key | The key in the Kubernetes secret containing the token for accessing the Vault instance. | vault-root | diff --git a/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_accounts.yaml b/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_accounts.yaml new file mode 100644 index 0000000..6c2e5e2 --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_accounts.yaml @@ -0,0 +1,633 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + name: accounts.issue.natssecrets.crossplane.io +spec: + group: issue.natssecrets.crossplane.io + names: + categories: + - crossplane + - managed + - natssecrets + kind: Account + listKind: AccountList + plural: accounts + singular: account + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .status.atProvider.operator + name: OPERATOR + type: string + - jsonPath: .status.atProvider.nkey + name: NKEY + priority: 1 + type: string + - jsonPath: .status.atProvider.jwt + name: JWT + priority: 1 + type: string + - jsonPath: .status.atProvider.pushed + name: PUSHED + priority: 1 + type: string + - jsonPath: .status.atProvider.lastPushed + name: LAST PUSHED + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: A Account is an example API type. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: A AccountSpec defines the desired state of a Account. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: AccountParameters are the configurable fields of a Account. + properties: + claims: + description: Specifies claims of the JWT + properties: + account: + description: Account specific claims + properties: + defaultPermissions: + description: Default pub/sub permissions for this account + that users inherit + properties: + pub: + description: Specifies the publish permissions + properties: + allow: + description: Specifies allowed subjects + items: + type: string + type: array + deny: + description: Specifies denied subjects + items: + type: string + type: array + type: object + resp: + description: Specifies the response permissions + properties: + max: + description: The maximum number of messages + type: integer + ttl: + description: Specifies the time to live for the + response + type: string + required: + - max + - ttl + type: object + sub: + description: Specifies the subscribe permissions + properties: + allow: + description: Specifies allowed subjects + items: + type: string + type: array + deny: + description: Specifies denied subjects + items: + type: string + type: array + type: object + type: object + description: + description: A human readable description + type: string + exports: + description: A list of account/subject combinations that + this account is allowed to export + items: + description: Export describes a mapping from this account + to another one + properties: + accountTokenPosition: + description: The account token position for the + export + type: integer + advertise: + description: Specifies if the export is advertised + type: boolean + description: + description: A human readable description + type: string + infoURL: + description: This is a URL to more information + type: string + name: + description: The name of the export + type: string + responseThreshold: + description: The response threshold for the export + type: string + responseType: + description: The response type for the export + type: string + revocations: + additionalProperties: + format: int64 + type: integer + description: The revocations for the export + type: object + serviceLatency: + description: The latency for the export. + properties: + results: + description: Specifies the results for the latency + type: string + sampling: + description: Specifies the sampling for the + latency + type: integer + required: + - results + - sampling + type: object + subject: + description: The subject to export + type: string + tokenReq: + description: Specifies if a token is required for + the export + type: boolean + type: + description: The type of the export + type: string + type: object + type: array + imports: + description: A list of account/subject combinations that + this account is allowed to import + items: + description: Import describes a mapping from another + account into this one + properties: + account: + description: The account to import from + type: string + localSubject: + description: The local subject to import to + type: string + name: + description: The name of the import + type: string + share: + description: Specifies if the import is shared + type: boolean + subject: + description: The subject to import + type: string + token: + description: The token to use for the import + type: string + type: + description: The type of the import + type: string + type: object + type: array + infoURL: + description: This is a URL to more information + type: string + limits: + description: A set of limits for this account + properties: + conn: + description: Max number of connections + format: int64 + type: integer + consumer: + description: Max number of consumers + format: int64 + type: integer + data: + description: Specifies the maximum number of bytes + format: int64 + type: integer + disallowBearer: + description: Specifies that user JWT can't be bearer + token + type: boolean + diskMaxStreamBytes: + default: 0 + description: Max number of bytes a stream can have + on disk. (0 means unlimited) + format: int64 + type: integer + diskStorage: + description: Max number of bytes stored on disk across + all streams. (0 means disabled) + format: int64 + type: integer + exports: + description: Max number of exports + format: int64 + type: integer + imports: + description: Max number of imports + format: int64 + type: integer + leafNodeConn: + description: Max number of leaf node connections + format: int64 + type: integer + maxAckPending: + description: Max number of acks pending + format: int64 + type: integer + maxBytesRequired: + description: Max bytes required by all Streams + type: boolean + memMaxStreamBytes: + default: 0 + description: Max number of bytes a stream can have + in memory. (0 means unlimited) + format: int64 + type: integer + memStorage: + description: Max number of bytes stored in memory + across all streams. (0 means disabled) + format: int64 + type: integer + payload: + description: Specifies the maximum message payload + format: int64 + type: integer + streams: + description: Max number of streams + format: int64 + type: integer + subs: + description: Specifies the maximum number of subscriptions + format: int64 + type: integer + wildcardExports: + description: Specifies if wildcards are allowed in + exports + type: boolean + type: object + mappings: + additionalProperties: + items: + description: WeightedMapping is a mapping from one + subject to another with a weight and a destination + cluster + properties: + cluster: + description: The cluster to map to + type: string + subject: + description: The subject to map to + type: string + weight: + description: The amount of 100% that this mapping + should be used + type: integer + required: + - subject + type: object + type: array + description: Stores subjects that get mapped to other + subjects using a weighted mapping. For more information + see https://docs.nats.io/nats-concepts/subject_mapping + type: object + revocations: + additionalProperties: + format: int64 + type: integer + description: Stores user JWTs that have been revoked and + the time they were revoked + type: object + signingKeys: + description: A list of signing keys the account can use + items: + type: string + type: array + tags: + description: Do not set manually + items: + type: string + type: array + type: + description: Do not set manually + type: string + version: + description: Do not set manually + type: integer + type: object + aud: + description: Do not set manually + type: string + exp: + description: Do not set manually + format: int64 + type: integer + iat: + description: Do not set manually + format: int64 + type: integer + iss: + description: Do not set manually + type: string + jti: + description: Do not set manually + type: string + name: + description: Do not set manually + type: string + nbf: + description: Do not set manually + format: int64 + type: integer + sub: + description: Do not set manually + type: string + type: object + operator: + type: string + useSigningKey: + type: string + required: + - operator + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: A AccountStatus represents the observed state of a Account. + properties: + atProvider: + description: AccountObservation are the observable fields of a Account. + properties: + account: + type: string + issue: + type: string + jwt: + type: string + jwtPath: + type: string + lastPushed: + type: string + nkey: + type: string + nkeyPath: + type: string + operator: + type: string + pushed: + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_operators.yaml b/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_operators.yaml new file mode 100644 index 0000000..59b4aae --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_operators.yaml @@ -0,0 +1,390 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + name: operators.issue.natssecrets.crossplane.io +spec: + group: issue.natssecrets.crossplane.io + names: + categories: + - crossplane + - managed + - natssecrets + kind: Operator + listKind: OperatorList + plural: operators + singular: operator + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .status.atProvider.nkey + name: NKEY + priority: 1 + type: string + - jsonPath: .status.atProvider.jwt + name: JWT + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: A Operator is an example API type. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: A OperatorSpec defines the desired state of a Operator. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: OperatorParameters are the configurable fields of an + Operator. + properties: + claims: + description: Specifies claims of the JWT + properties: + aud: + description: Do not set manually + type: string + exp: + description: Do not set manually + format: int64 + type: integer + iat: + description: Do not set manually + format: int64 + type: integer + iss: + description: Do not set manually + type: string + jti: + description: Do not set manually + type: string + name: + description: Do not set manually + type: string + nbf: + description: Do not set manually + format: int64 + type: integer + operator: + description: Operator specific claims + properties: + accountServerUrl: + description: AccountServerURL is a partial URL like "https://host.domain.org:/jwt/v1" + tools will use the prefix and build queries by appending + /accounts/ or /operator to the path provided. + Note this assumes that the account server can handle + requests in a nats-account-server compatible way. See + https://github.com/nats-io/nats-account-server. + type: string + assertServerVersion: + description: Min Server version + type: string + operatorServiceUrls: + description: A list of NATS urls (tls://host:port) where + tools can connect to the server using proper credentials. + items: + type: string + type: array + signingKeys: + description: Slice of other operator NKey names that can + be used to sign on behalf of the main operator identity. + items: + type: string + type: array + strictSigningKeyUsage: + description: Signing of subordinate objects will require + signing keys + type: boolean + systemAccount: + description: Identity of the system account by its name + type: string + tags: + description: Do not set manually + items: + type: string + type: array + type: + description: Do not set manually + type: string + version: + description: Do not set manually + type: integer + type: object + sub: + description: Do not set manually + type: string + type: object + createSystemAccount: + type: boolean + syncAccountServer: + type: boolean + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: A OperatorStatus represents the observed state of a Operator. + properties: + atProvider: + description: OperatorObservation are the observable fields of a Operator. + properties: + issue: + type: string + jwt: + type: string + jwtPath: + type: string + nkey: + type: string + nkeyPath: + type: string + operator: + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + status: + description: Status of this instance. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_users.yaml b/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_users.yaml new file mode 100644 index 0000000..d05cce7 --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/crds/issue.natssecrets.crossplane.io_users.yaml @@ -0,0 +1,472 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + name: users.issue.natssecrets.crossplane.io +spec: + group: issue.natssecrets.crossplane.io + names: + categories: + - crossplane + - managed + - natssecrets + kind: User + listKind: UserList + plural: users + singular: user + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .status.atProvider.operator + name: OPERATOR + type: string + - jsonPath: .status.atProvider.account + name: ACCOUNT + type: string + - jsonPath: .status.atProvider.nkey + name: NKEY + priority: 1 + type: string + - jsonPath: .status.atProvider.jwt + name: JWT + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: A User is an example API type. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: A UserSpec defines the desired state of a User. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: UserParameters are the configurable fields of a User. + properties: + account: + type: string + claims: + description: Specifies claims of the JWT + properties: + aud: + description: Do not set manually + type: string + exp: + description: Do not set manually + format: int64 + type: integer + iat: + description: Do not set manually + format: int64 + type: integer + iss: + description: Do not set manually + type: string + jti: + description: Do not set manually + type: string + name: + description: Do not set manually + type: string + nbf: + description: Do not set manually + format: int64 + type: integer + sub: + description: Do not set manually + type: string + user: + description: Specifies the user specific part of the JWT + properties: + allowedConnectionTypes: + description: Specifies the allowed connection types for + this user Allowed values are STANDARD, WEBSOCKET, LEAFNODE, + LEAFNODE_WS, MQTT, MQTT_WS + enum: + - STANDARD + - WEBSOCKET + - LEAFNODE + - LEAFNODE_WS + - MQTT + - MQTT_WS + items: + type: string + type: array + bearerToken: + description: Specifies if this user is allowed to use + a bearer token to connect + type: boolean + data: + description: Specifies the maximum number of bytes + format: int64 + type: integer + issuerAccount: + description: The account that issued this user JWT + type: string + payload: + description: Specifies the maximum message payload + format: int64 + type: integer + pub: + description: Specifies the publish permissions + properties: + allow: + description: Specifies allowed subjects + items: + type: string + type: array + deny: + description: Specifies denied subjects + items: + type: string + type: array + type: object + resp: + description: Specifies the response permissions + properties: + max: + description: The maximum number of messages + type: integer + ttl: + description: Specifies the time to live for the response + type: string + required: + - max + - ttl + type: object + src: + description: 'A list of CIDR specifications the user is + allowed to connect from Example: 192.168.1.0/24, 192.168.1.1/1 + or 2001:db8:a0b:12f0::1/32' + items: + type: string + type: array + sub: + description: Specifies the subscribe permissions + properties: + allow: + description: Specifies allowed subjects + items: + type: string + type: array + deny: + description: Specifies denied subjects + items: + type: string + type: array + type: object + subs: + description: Specifies the maximum number of subscriptions + format: int64 + type: integer + tags: + description: Do not set manually + items: + type: string + type: array + times: + description: Represents allowed time ranges the user is + allowed to interact with the system + items: + properties: + end: + description: The end time in the format HH:MM:SS + pattern: ^(((([0-1][0-9])|(2[0-3])):?[0-5][0-9]:?[0-5][0-9]+$)) + type: string + start: + description: The start time in the format HH:MM:SS + pattern: ^(((([0-1][0-9])|(2[0-3])):?[0-5][0-9]:?[0-5][0-9]+$)) + type: string + type: object + type: array + timesLocation: + description: The locale for the times in the format "Europe/Berlin" + type: string + type: + description: Do not set manually + type: string + version: + description: Do not set manually + type: integer + type: object + type: object + operator: + type: string + useSigningKey: + type: string + required: + - account + - operator + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: A UserStatus represents the observed state of a User. + properties: + atProvider: + description: UserObservation are the observable fields of a User. + properties: + account: + type: string + creds: + type: string + issue: + type: string + jwt: + type: string + jwtPath: + type: string + nkey: + type: string + nkeyPath: + type: string + operator: + type: string + user: + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/cluster/charts/provider-natssecrets-helm/crds/natssecrets.crossplane.io_providerconfigs.yaml b/cluster/charts/provider-natssecrets-helm/crds/natssecrets.crossplane.io_providerconfigs.yaml new file mode 100644 index 0000000..69172b1 --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/crds/natssecrets.crossplane.io_providerconfigs.yaml @@ -0,0 +1,149 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + name: providerconfigs.natssecrets.crossplane.io +spec: + group: natssecrets.crossplane.io + names: + kind: ProviderConfig + listKind: ProviderConfigList + plural: providerconfigs + singular: providerconfig + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.credentials.secretRef.name + name: SECRET-NAME + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: A ProviderConfig configures a NatsSecrets provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: A ProviderConfigSpec defines the desired state of a ProviderConfig. + properties: + credentials: + description: Credentials required to authenticate to this provider. + properties: + env: + description: Env is a reference to an environment variable that + contains credentials that must be used to connect to the provider. + properties: + name: + description: Name is the name of an environment variable. + type: string + required: + - name + type: object + fs: + description: Fs is a reference to a filesystem location that contains + credentials that must be used to connect to the provider. + properties: + path: + description: Path is a filesystem path. + type: string + required: + - path + type: object + secretRef: + description: A SecretRef is a reference to a secret key that contains + the credentials that must be used to connect to the provider. + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + source: + description: Source of the provider credentials. + enum: + - None + - Secret + - InjectedIdentity + - Environment + - Filesystem + type: string + required: + - source + type: object + required: + - credentials + type: object + status: + description: A ProviderConfigStatus reflects the observed state of a ProviderConfig. + properties: + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + users: + description: Users of this provider configuration. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/cluster/charts/provider-natssecrets-helm/templates/_helpers.tpl b/cluster/charts/provider-natssecrets-helm/templates/_helpers.tpl new file mode 100644 index 0000000..4bb5425 --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "provider-natssecrets.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "provider-natssecrets.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "provider-natssecrets.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "provider-natssecrets.labels" -}} +helm.sh/chart: {{ include "provider-natssecrets.chart" . }} +{{ include "provider-natssecrets.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "provider-natssecrets.selectorLabels" -}} +app.kubernetes.io/name: {{ include "provider-natssecrets.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/cluster/charts/provider-natssecrets-helm/templates/controllerconfig.yaml b/cluster/charts/provider-natssecrets-helm/templates/controllerconfig.yaml new file mode 100644 index 0000000..58004f9 --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/templates/controllerconfig.yaml @@ -0,0 +1,11 @@ +apiVersion: pkg.crossplane.io/v1alpha1 +kind: ControllerConfig +metadata: + name: provider-natssecrets + labels: {{- include "provider-natssecrets.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.provider.replicas }} + args: + {{- range $i, $v := $.Values.provider.args }} + - {{ $v }} + {{- end }} \ No newline at end of file diff --git a/cluster/charts/provider-natssecrets-helm/templates/generate-secret.yaml b/cluster/charts/provider-natssecrets-helm/templates/generate-secret.yaml new file mode 100644 index 0000000..de702d2 --- /dev/null +++ b/cluster/charts/provider-natssecrets-helm/templates/generate-secret.yaml @@ -0,0 +1,183 @@ +{{- if .Values.vault.credentials.secretRef.data }} +{{- if and .Values.vault.credentials.secretRef.data.token.value .Values.vault.credentials.secretRef.data.token.fromSecret }} + {{- required "Both .vault.credentials.secretRef.data.token.value and vault.credentials.secretRef.data.token.fromSecret cannot be enabled at the same time" "" }} +{{- end }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: generate-provider-natssecrets-secret + namespace: {{ .Values.namespace }} + labels: {{- include "provider-natssecrets.labels" . | nindent 4 }} +data: + generate-secret.sh: | + #!/bin/sh + # Don't abort on error. This is needed to continue the while loop for checking + # if a secret exists + set +e + + data_address="{{ .Values.vault.credentials.secretRef.data.address }}" + data_tls="{{ .Values.vault.credentials.secretRef.data.tls }}" + data_insecure="{{ .Values.vault.credentials.secretRef.data.insecure }}" + token_value="{{ .Values.vault.credentials.secretRef.data.token.value }}" + token_fromSecret="{{ .Values.vault.credentials.secretRef.data.token.fromSecret }}" + + # Perform the same checks as in the "secretContent" template + if [ -z "$data_address" ] || [ -z "$data_tls" ] || [ -z "$data_insecure" ]; then + echo "data.address, data.tls, and data.insecure are required" + exit 1 + fi + + if [ -n "$token_value" ] && [ -n "$token_fromSecret" ]; then + echo "Both data.token.value and data.token.fromSecret cannot be set at the same time" + exit 1 + elif [ -n "$token_value" ]; then + token="$token_value" + elif [ -n "$token_fromSecret" ]; then + {{- with .Values.vault.credentials.secretRef.data.token.fromSecret }} + token_secret_name="{{ .name }}" + token_secret_namespace="{{ .namespace }}" + token_secret_key="{{ .key }}" + {{- end }} + + if [ -z "$token_secret_name" ] || [ -z "$token_secret_namespace" ] || [ -z "$token_secret_key" ]; then + echo "data.token.fromSecret.name, data.token.fromSecret.namespace, and data.token.fromSecret.key must be set" + exit 1 + fi + # wait for the secret to be created + while true; do + secret_data=$(kubectl get secret "$token_secret_name" -n "$token_secret_namespace" -o jsonpath='{.data}' 2> /dev/null) + if [ $? -eq 0 ] && [ -n "$(echo "$secret_data" | grep -o "$token_secret_key")" ]; then + break + else + echo "$(date): waiting for secret key $token_secret_key in secret $token_secret_name/$token_secret_namespace to be created..." + sleep 1 + fi + done + + token_secret=$(kubectl get secret "$token_secret_name" -o jsonpath="{.data['$token_secret_key']}" --namespace "$token_secret_namespace") + if [ -z "$token_secret" ]; then + echo "The specified secret and key must exist" + exit 1 + fi + token=$(echo "$token_secret" | base64 --decode) + else + echo "Either data.token.value or data.token.fromSecret must be set" + exit 1 + fi + + SECRET_CONTENT=$(cat <", + # "path": "nats-secrets" + # } + secretRef: + name: provider-natssecrets + key: credentials + # If `data` is passed a secret is created with the given data. + # If not used, an existing secret must exist. + data: + address: https://vault.vault.svc:8200 + tls: true + insecure: true + token: + # Either set the token directly using `value` or reference a secret + # value: supersecret + fromSecret: + name: bank-vaults + namespace: vault + key: vault-root diff --git a/examples/account/account.yaml b/examples/account/account.yaml index bc6c025..3b4e757 100644 --- a/examples/account/account.yaml +++ b/examples/account/account.yaml @@ -17,7 +17,7 @@ spec: imports: -1 exports: -1 providerConfigRef: - name: default + name: provider-natssecrets writeConnectionSecretToRef: namespace: crossplane-system name: myaccount diff --git a/examples/user/user.yaml b/examples/user/user.yaml index 5de6174..3934d8a 100644 --- a/examples/user/user.yaml +++ b/examples/user/user.yaml @@ -10,9 +10,9 @@ spec: user: data: 1 payload: 2 - subs: 3 + subs: 300 providerConfigRef: - name: default + name: provider-natssecrets writeConnectionSecretToRef: namespace: crossplane-system name: myuser diff --git a/makelib/helmoci.mk b/makelib/helmoci.mk new file mode 100644 index 0000000..f567c6f --- /dev/null +++ b/makelib/helmoci.mk @@ -0,0 +1,135 @@ +# Copyright 2023 The Upbound Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# TODO(turkenh): Consider moving this to upbound/build repo if it is useful for other projects. + +ifeq ($(HELM_CHARTS),) +$(error the variable HELM_CHARTS must be set prior to including helmoci.mk) +endif + +# the base url where helm charts are pushed +ifeq ($(HELM_OCI_URL),) +$(error the variable HELM_OCI_URL must be set prior to including helmoci.mk) +endif + +# the charts directory +HELM_CHARTS_DIR ?= $(ROOT_DIR)/cluster/charts + +# the charts output directory +HELM_OUTPUT_DIR ?= $(OUTPUT_DIR)/charts + +HELM_CHART_LINT_STRICT ?= true +ifeq ($(HELM_CHART_LINT_STRICT),true) +HELM_CHART_LINT_STRICT_ARG += --strict +endif + +# helm home +HELM_HOME := $(abspath $(WORK_DIR)/helm) +export HELM_HOME + +HELM_CACHE_HOME = $(HELM_HOME)/cache +HELM_CONFIG_HOME = $(HELM_HOME)/config +HELM_DATA_HOME = $(HELM_HOME)/data +export HELM_CACHE_HOME +export HELM_CONFIG_HOME +export HELM_DATA_HOME + +# remove the leading `v` for helm chart versions +HELM_CHART_VERSION := $(VERSION:v%=%) + +# ==================================================================================== +# Helm Targets +$(HELM_HOME): $(HELM) + @mkdir -p $(HELM_HOME) + +$(HELM_OUTPUT_DIR): + @mkdir -p $(HELM_OUTPUT_DIR) + +define helm.chart +$(HELM_OUTPUT_DIR)/$(1)-$(HELM_CHART_VERSION).tgz: $(HELM_HOME) $(HELM_OUTPUT_DIR) $(shell find $(HELM_CHARTS_DIR)/$(1) -type f) + @$(INFO) helm package $(1) $(HELM_CHART_VERSION) + $(HELM) package --version $(HELM_CHART_VERSION) --app-version $(HELM_CHART_VERSION) -d $(HELM_OUTPUT_DIR) $(abspath $(HELM_CHARTS_DIR)/$(1)) + @$(OK) helm package $(1) $(HELM_CHART_VERSION) + +helm.prepare.$(1): $(HELM_HOME) + @cp -f $(HELM_CHARTS_DIR)/$(1)/values.yaml.tmpl $(HELM_CHARTS_DIR)/$(1)/values.yaml + @cd $(HELM_CHARTS_DIR)/$(1) && $(SED_CMD) 's|%%VERSION%%|$(VERSION)|g' values.yaml + +helm.prepare: helm.prepare.$(1) + +helm.lint.$(1): $(HELM_HOME) helm.prepare.$(1) + @rm -rf $(abspath $(HELM_CHARTS_DIR)/$(1)/charts) + @$(HELM) dependency update $(abspath $(HELM_CHARTS_DIR)/$(1)) + @$(HELM) lint $(abspath $(HELM_CHARTS_DIR)/$(1)) $(HELM_CHART_LINT_ARGS_$(1)) $(HELM_CHART_LINT_STRICT_ARG) + +helm.lint: helm.lint.$(1) + +helm.dep.$(1): $(HELM_HOME) + @$(INFO) helm dep $(1) $(HELM_CHART_VERSION) + @$(HELM) dependency update $(abspath $(HELM_CHARTS_DIR)/$(1)) + @$(OK) helm dep $(1) $(HELM_CHART_VERSION) + +helm.dep: helm.dep.$(1) + +helm.build.$(1): $(HELM_OUTPUT_DIR)/$(1)-$(HELM_CHART_VERSION).tgz + +helm.build: helm.build.$(1) +endef +$(foreach p,$(HELM_CHARTS),$(eval $(call helm.chart,$(p)))) + +helm.clean: + @rm -fr $(HELM_OUTPUT_DIR) + +helm.env: $(HELM) + @$(HELM) env + +asd: + @echo asd +# ==================================================================================== +# helm push to OCI registry +define oci.push +helm.push.$(1): $(HELM_HOME) + @$(INFO) pushing helm chart $(1) to OCI registry $(HELM_OCI_URL) + @$(HELM) push $(HELM_OUTPUT_DIR)/$(1)-$(HELM_CHART_VERSION).tgz oci://$(HELM_OCI_URL) + @$(OK) pushing helm charts to OCI registry + +helm.push: helm.push.$(1) +endef +$(foreach p,$(HELM_CHARTS),$(eval $(call oci.push,$(p)))) +# ==================================================================================== +# Common Targets + +build.init: helm.prepare helm.lint +build.check: helm.dep +build.artifacts: helm.build +clean: helm.clean +lint: helm.lint +publish.artifacts: helm.push +# ==================================================================================== +# Special Targets + +dep: helm.dep + +define HELM_HELPTEXT +Helm Targets: + dep Build and publish final releasable artifacts + +endef +export HELM_HELPTEXT + +helm.help: + @echo "$$HELM_HELPTEXT" + +help-special: helm.help + diff --git a/package/crds/issue.natssecrets.crossplane.io_accounts.yaml b/package/crds/issue.natssecrets.crossplane.io_accounts.yaml index 6c2e5e2..efe90e8 100644 --- a/package/crds/issue.natssecrets.crossplane.io_accounts.yaml +++ b/package/crds/issue.natssecrets.crossplane.io_accounts.yaml @@ -10,624 +10,665 @@ spec: group: issue.natssecrets.crossplane.io names: categories: - - crossplane - - managed - - natssecrets + - crossplane + - managed + - natssecrets kind: Account listKind: AccountList plural: accounts singular: account scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .metadata.annotations.crossplane\.io/external-name - name: EXTERNAL-NAME - type: string - - jsonPath: .status.conditions[?(@.type=='Ready')].status - name: READY - type: string - - jsonPath: .status.conditions[?(@.type=='Synced')].status - name: SYNCED - type: string - - jsonPath: .metadata.creationTimestamp - name: AGE - type: date - - jsonPath: .status.atProvider.operator - name: OPERATOR - type: string - - jsonPath: .status.atProvider.nkey - name: NKEY - priority: 1 - type: string - - jsonPath: .status.atProvider.jwt - name: JWT - priority: 1 - type: string - - jsonPath: .status.atProvider.pushed - name: PUSHED - priority: 1 - type: string - - jsonPath: .status.atProvider.lastPushed - name: LAST PUSHED - priority: 1 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: A Account is an example API type. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: A AccountSpec defines the desired state of a Account. - properties: - deletionPolicy: - default: Delete - description: DeletionPolicy specifies what will happen to the underlying - external when this managed resource is deleted - either "Delete" - or "Orphan" the external resource. - enum: - - Orphan - - Delete - type: string - forProvider: - description: AccountParameters are the configurable fields of a Account. - properties: - claims: - description: Specifies claims of the JWT - properties: - account: - description: Account specific claims - properties: - defaultPermissions: - description: Default pub/sub permissions for this account - that users inherit - properties: - pub: - description: Specifies the publish permissions - properties: - allow: - description: Specifies allowed subjects - items: - type: string - type: array - deny: - description: Specifies denied subjects - items: + - additionalPrinterColumns: + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .status.atProvider.operator + name: OPERATOR + type: string + - jsonPath: .status.atProvider.nkey + name: NKEY + priority: 1 + type: string + - jsonPath: .status.atProvider.jwt + name: JWT + priority: 1 + type: string + - jsonPath: .status.atProvider.pushed + name: PUSHED + priority: 1 + type: string + - jsonPath: .status.atProvider.lastPushed + name: LAST PUSHED + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: A Account is an example API type. + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + spec: + description: A AccountSpec defines the desired state of a Account. + properties: + deletionPolicy: + default: Delete + description: + DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: AccountParameters are the configurable fields of a Account. + properties: + claims: + description: Specifies claims of the JWT + properties: + account: + description: Account specific claims + properties: + defaultPermissions: + description: + Default pub/sub permissions for this account + that users inherit + properties: + pub: + description: Specifies the publish permissions + properties: + allow: + description: Specifies allowed subjects + items: + type: string + type: array + deny: + description: Specifies denied subjects + items: + type: string + type: array + type: object + resp: + description: Specifies the response permissions + properties: + max: + description: The maximum number of messages + type: integer + ttl: + description: + Specifies the time to live for the + response type: string - type: array - type: object - resp: - description: Specifies the response permissions + required: + - max + - ttl + type: object + sub: + description: Specifies the subscribe permissions + properties: + allow: + description: Specifies allowed subjects + items: + type: string + type: array + deny: + description: Specifies denied subjects + items: + type: string + type: array + type: object + type: object + description: + description: A human readable description + type: string + exports: + description: + A list of account/subject combinations that + this account is allowed to export + items: + description: + Export describes a mapping from this account + to another one properties: - max: - description: The maximum number of messages + accountTokenPosition: + description: + The account token position for the + export type: integer - ttl: - description: Specifies the time to live for the - response + advertise: + description: Specifies if the export is advertised + type: boolean + description: + description: A human readable description + type: string + infoURL: + description: This is a URL to more information + type: string + name: + description: The name of the export + type: string + responseThreshold: + description: The response threshold for the export + type: string + responseType: + description: The response type for the export + type: string + revocations: + additionalProperties: + format: int64 + type: integer + description: The revocations for the export + type: object + serviceLatency: + description: The latency for the export. + properties: + results: + description: Specifies the results for the latency + type: string + sampling: + description: + Specifies the sampling for the + latency + type: integer + required: + - results + - sampling + type: object + subject: + description: The subject to export + type: string + tokenReq: + description: + Specifies if a token is required for + the export + type: boolean + type: + description: The type of the export type: string - required: - - max - - ttl type: object - sub: - description: Specifies the subscribe permissions + type: array + imports: + description: + A list of account/subject combinations that + this account is allowed to import + items: + description: + Import describes a mapping from another + account into this one properties: - allow: - description: Specifies allowed subjects - items: - type: string - type: array - deny: - description: Specifies denied subjects - items: - type: string - type: array + account: + description: The account to import from + type: string + localSubject: + description: The local subject to import to + type: string + name: + description: The name of the import + type: string + share: + description: Specifies if the import is shared + type: boolean + subject: + description: The subject to import + type: string + token: + description: The token to use for the import + type: string + type: + description: The type of the import + type: string type: object - type: object - description: - description: A human readable description - type: string - exports: - description: A list of account/subject combinations that - this account is allowed to export - items: - description: Export describes a mapping from this account - to another one + type: array + infoURL: + description: This is a URL to more information + type: string + limits: + description: A set of limits for this account properties: - accountTokenPosition: - description: The account token position for the - export + conn: + description: Max number of connections + format: int64 type: integer - advertise: - description: Specifies if the export is advertised + consumer: + description: Max number of consumers + format: int64 + type: integer + data: + description: Specifies the maximum number of bytes + format: int64 + type: integer + disallowBearer: + description: + Specifies that user JWT can't be bearer + token type: boolean - description: - description: A human readable description - type: string - infoURL: - description: This is a URL to more information - type: string - name: - description: The name of the export - type: string - responseThreshold: - description: The response threshold for the export - type: string - responseType: - description: The response type for the export - type: string - revocations: - additionalProperties: - format: int64 - type: integer - description: The revocations for the export - type: object - serviceLatency: - description: The latency for the export. + diskMaxStreamBytes: + default: 0 + description: + Max number of bytes a stream can have + on disk. (0 means unlimited) + format: int64 + type: integer + diskStorage: + description: + Max number of bytes stored on disk across + all streams. (0 means disabled) + format: int64 + type: integer + exports: + description: Max number of exports + format: int64 + type: integer + imports: + description: Max number of imports + format: int64 + type: integer + leafNodeConn: + description: Max number of leaf node connections + format: int64 + type: integer + maxAckPending: + description: Max number of acks pending + format: int64 + type: integer + maxBytesRequired: + description: Max bytes required by all Streams + type: boolean + memMaxStreamBytes: + default: 0 + description: + Max number of bytes a stream can have + in memory. (0 means unlimited) + format: int64 + type: integer + memStorage: + description: + Max number of bytes stored in memory + across all streams. (0 means disabled) + format: int64 + type: integer + payload: + description: Specifies the maximum message payload + format: int64 + type: integer + streams: + description: Max number of streams + format: int64 + type: integer + subs: + description: Specifies the maximum number of subscriptions + format: int64 + type: integer + wildcardExports: + description: + Specifies if wildcards are allowed in + exports + type: boolean + type: object + mappings: + additionalProperties: + items: + description: + WeightedMapping is a mapping from one + subject to another with a weight and a destination + cluster properties: - results: - description: Specifies the results for the latency + cluster: + description: The cluster to map to + type: string + subject: + description: The subject to map to type: string - sampling: - description: Specifies the sampling for the - latency + weight: + description: + The amount of 100% that this mapping + should be used type: integer required: - - results - - sampling + - subject type: object - subject: - description: The subject to export - type: string - tokenReq: - description: Specifies if a token is required for - the export - type: boolean - type: - description: The type of the export - type: string - type: object - type: array - imports: - description: A list of account/subject combinations that - this account is allowed to import - items: - description: Import describes a mapping from another - account into this one - properties: - account: - description: The account to import from - type: string - localSubject: - description: The local subject to import to - type: string - name: - description: The name of the import - type: string - share: - description: Specifies if the import is shared - type: boolean - subject: - description: The subject to import - type: string - token: - description: The token to use for the import - type: string - type: - description: The type of the import - type: string + type: array + description: + Stores subjects that get mapped to other + subjects using a weighted mapping. For more information + see https://docs.nats.io/nats-concepts/subject_mapping type: object - type: array - infoURL: - description: This is a URL to more information - type: string - limits: - description: A set of limits for this account - properties: - conn: - description: Max number of connections - format: int64 - type: integer - consumer: - description: Max number of consumers - format: int64 - type: integer - data: - description: Specifies the maximum number of bytes - format: int64 - type: integer - disallowBearer: - description: Specifies that user JWT can't be bearer - token - type: boolean - diskMaxStreamBytes: - default: 0 - description: Max number of bytes a stream can have - on disk. (0 means unlimited) - format: int64 - type: integer - diskStorage: - description: Max number of bytes stored on disk across - all streams. (0 means disabled) - format: int64 - type: integer - exports: - description: Max number of exports - format: int64 - type: integer - imports: - description: Max number of imports - format: int64 - type: integer - leafNodeConn: - description: Max number of leaf node connections - format: int64 - type: integer - maxAckPending: - description: Max number of acks pending - format: int64 - type: integer - maxBytesRequired: - description: Max bytes required by all Streams - type: boolean - memMaxStreamBytes: - default: 0 - description: Max number of bytes a stream can have - in memory. (0 means unlimited) - format: int64 - type: integer - memStorage: - description: Max number of bytes stored in memory - across all streams. (0 means disabled) - format: int64 - type: integer - payload: - description: Specifies the maximum message payload - format: int64 - type: integer - streams: - description: Max number of streams - format: int64 - type: integer - subs: - description: Specifies the maximum number of subscriptions + revocations: + additionalProperties: format: int64 type: integer - wildcardExports: - description: Specifies if wildcards are allowed in - exports - type: boolean - type: object - mappings: - additionalProperties: + description: + Stores user JWTs that have been revoked and + the time they were revoked + type: object + signingKeys: + description: A list of signing keys the account can use items: - description: WeightedMapping is a mapping from one - subject to another with a weight and a destination - cluster - properties: - cluster: - description: The cluster to map to - type: string - subject: - description: The subject to map to - type: string - weight: - description: The amount of 100% that this mapping - should be used - type: integer - required: - - subject - type: object + type: string type: array - description: Stores subjects that get mapped to other - subjects using a weighted mapping. For more information - see https://docs.nats.io/nats-concepts/subject_mapping - type: object - revocations: - additionalProperties: - format: int64 - type: integer - description: Stores user JWTs that have been revoked and - the time they were revoked - type: object - signingKeys: - description: A list of signing keys the account can use - items: - type: string - type: array - tags: - description: Do not set manually - items: + tags: + description: Do not set manually + items: + type: string + type: array + type: + description: Do not set manually type: string - type: array - type: - description: Do not set manually - type: string - version: - description: Do not set manually - type: integer - type: object - aud: - description: Do not set manually - type: string - exp: - description: Do not set manually - format: int64 - type: integer - iat: - description: Do not set manually - format: int64 - type: integer - iss: - description: Do not set manually - type: string - jti: - description: Do not set manually - type: string - name: - description: Do not set manually - type: string - nbf: - description: Do not set manually - format: int64 - type: integer - sub: - description: Do not set manually - type: string - type: object - operator: - type: string - useSigningKey: - type: string - required: - - operator - type: object - providerConfigRef: - default: - name: default - description: ProviderConfigReference specifies how the provider that - will be used to create, observe, update, and delete this managed - resource should be configured. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - providerRef: - description: 'ProviderReference specifies the provider that will be - used to create, observe, update, and delete this managed resource. - Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of this - reference is required. The default is 'Required', which - means the reconcile will fail if the reference cannot be - resolved. 'Optional' means this reference will be a no-op - if it cannot be resolved. - enum: - - Required - - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will attempt - to resolve the reference only when the corresponding field - is not present. Use 'Always' to resolve the reference on - every reconcile. - enum: - - Always - - IfNotPresent - type: string - type: object - required: - - name - type: object - publishConnectionDetailsTo: - description: PublishConnectionDetailsTo specifies the connection secret - config which contains a name, metadata and a reference to secret - store config to which any connection details for this managed resource - should be written. Connection details frequently include the endpoint, - username, and password required to connect to the managed resource. - properties: - configRef: - default: - name: default - description: SecretStoreConfigRef specifies which secret store - config should be used for this ConnectionSecret. - properties: - name: - description: Name of the referenced object. - type: string - policy: - description: Policies for referencing. - properties: - resolution: - default: Required - description: Resolution specifies whether resolution of - this reference is required. The default is 'Required', - which means the reconcile will fail if the reference - cannot be resolved. 'Optional' means this reference - will be a no-op if it cannot be resolved. - enum: + version: + description: Do not set manually + type: integer + type: object + aud: + description: Do not set manually + type: string + exp: + description: Do not set manually + format: int64 + type: integer + iat: + description: Do not set manually + format: int64 + type: integer + iss: + description: Do not set manually + type: string + jti: + description: Do not set manually + type: string + name: + description: Do not set manually + type: string + nbf: + description: Do not set manually + format: int64 + type: integer + sub: + description: Do not set manually + type: string + type: object + operator: + type: string + useSigningKey: + type: string + required: + - operator + type: object + providerConfigRef: + default: + name: default + description: + ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: + Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: - Required - Optional - type: string - resolve: - description: Resolve specifies when this reference should - be resolved. The default is 'IfNotPresent', which will - attempt to resolve the reference only when the corresponding - field is not present. Use 'Always' to resolve the reference - on every reconcile. - enum: + type: string + resolve: + description: + Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: - Always - IfNotPresent - type: string - type: object - required: + type: string + type: object + required: - name - type: object - metadata: - description: Metadata is the metadata for connection secret. - properties: - annotations: - additionalProperties: + type: object + providerRef: + description: + "ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`" + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: + Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional type: string - description: Annotations are the annotations to be added to - connection secret. - For Kubernetes secrets, this will be - used as "metadata.annotations". - It is up to Secret Store - implementation for others store types. - type: object - labels: - additionalProperties: + resolve: + description: + Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent type: string - description: Labels are the labels/tags to be added to connection - secret. - For Kubernetes secrets, this will be used as "metadata.labels". - - It is up to Secret Store implementation for others store - types. - type: object - type: - description: Type is the SecretType for the connection secret. - - Only valid for Kubernetes Secret Stores. - type: string - type: object - name: - description: Name is the name of the connection secret. - type: string - required: - - name - type: object - writeConnectionSecretToRef: - description: WriteConnectionSecretToReference specifies the namespace - and name of a Secret to which any connection details for this managed - resource should be written. Connection details frequently include - the endpoint, username, and password required to connect to the - managed resource. This field is planned to be replaced in a future - release in favor of PublishConnectionDetailsTo. Currently, both - could be set independently and connection details would be published - to both without affecting each other. - properties: - name: - description: Name of the secret. - type: string - namespace: - description: Namespace of the secret. - type: string - required: - - name - - namespace - type: object - required: - - forProvider - type: object - status: - description: A AccountStatus represents the observed state of a Account. - properties: - atProvider: - description: AccountObservation are the observable fields of a Account. - properties: - account: - type: string - issue: - type: string - jwt: - type: string - jwtPath: - type: string - lastPushed: - type: string - nkey: - type: string - nkeyPath: - type: string - operator: - type: string - pushed: - type: string - type: object - conditions: - description: Conditions of the resource. - items: - description: A Condition that may apply to a resource. + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: + PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: + SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: + Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: + Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: + Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: + Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: + Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: + WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: A AccountStatus represents the observed state of a Account. + properties: + atProvider: + description: AccountObservation are the observable fields of a Account. properties: - lastTransitionTime: - description: LastTransitionTime is the last time this condition - transitioned from one status to another. - format: date-time + account: type: string - message: - description: A Message containing details about this condition's - last transition from one status to another, if any. + issue: type: string - reason: - description: A Reason for this condition's last transition from - one status to another. + jwt: type: string - status: - description: Status of this condition; is it currently True, - False, or Unknown? + jwtPath: type: string - type: - description: Type of this condition. At most one of each condition - type may apply to a resource at any point in time. + lastPushed: + type: string + nkey: + type: string + nkeyPath: + type: string + operator: + type: string + pushed: type: string - required: - - lastTransitionTime - - reason - - status - - type type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: + LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: + A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: + A Reason for this condition's last transition from + one status to another. + type: string + status: + description: + Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: + Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {}