From 07331b0747a645f6b3da2d5dc2de397c8eb44af7 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Thu, 4 Jun 2026 10:27:09 +0200 Subject: [PATCH] add VenafiConnection CRD to discovery-agent Helm chart Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- deploy/charts/discovery-agent/README.md | 15 + .../discovery-agent/crd_bases/crd.footer.yaml | 2 + .../crd.header-without-validations.yaml | 13 + .../discovery-agent/crd_bases/crd.header.yaml | 13 + .../jetstack.io_venaficonnections.yaml | 1944 +++++++++++++++++ .../templates/_venafi-connection.tpl | 26 + .../discovery-agent/templates/deployment.yaml | 4 + ...fi-connection-crd.without-validations.yaml | 1788 +++++++++++++++ .../templates/venafi-connection-crd.yaml | 1848 ++++++++++++++++ .../templates/venafi-connection-rbac.yaml | 47 + .../templates/venafi-rbac.yaml | 31 + .../tests/deployment_test.yaml | 51 + .../charts/discovery-agent/values.schema.json | 24 + deploy/charts/discovery-agent/values.yaml | 15 + klone.yaml | 22 +- make/02_mod.mk | 7 +- make/_shared/generate-verify/02_mod.mk | 12 +- make/ark/02_mod.mk | 2 +- make/ngts/02_mod.mk | 8 +- 19 files changed, 5849 insertions(+), 23 deletions(-) create mode 100644 deploy/charts/discovery-agent/crd_bases/crd.footer.yaml create mode 100644 deploy/charts/discovery-agent/crd_bases/crd.header-without-validations.yaml create mode 100644 deploy/charts/discovery-agent/crd_bases/crd.header.yaml create mode 100644 deploy/charts/discovery-agent/crd_bases/jetstack.io_venaficonnections.yaml create mode 100644 deploy/charts/discovery-agent/templates/_venafi-connection.tpl create mode 100644 deploy/charts/discovery-agent/templates/venafi-connection-crd.without-validations.yaml create mode 100644 deploy/charts/discovery-agent/templates/venafi-connection-crd.yaml create mode 100644 deploy/charts/discovery-agent/templates/venafi-connection-rbac.yaml create mode 100644 deploy/charts/discovery-agent/templates/venafi-rbac.yaml diff --git a/deploy/charts/discovery-agent/README.md b/deploy/charts/discovery-agent/README.md index 80ca29e1..111e8409 100644 --- a/deploy/charts/discovery-agent/README.md +++ b/deploy/charts/discovery-agent/README.md @@ -6,6 +6,21 @@ The Discovery Agent connects your Kubernetes or OpenShift cluster to Palo Alto N +### Venafi Connection + +#### **venafiConnection.include** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +When set to false, the rendered output does not contain the VenafiConnection CRDs and RBAC. This is useful for when the Venafi Connection resoures are already installed separately. +#### **venafiConnection.serviceAccountNamespace** ~ `string` + +The namespace in which the 'venafi-connection' service account lives. This is the service account that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace in which the controller is running) + +### Discovery Agent + #### **config.tsgID** ~ `number,string` > Default value: > ```yaml diff --git a/deploy/charts/discovery-agent/crd_bases/crd.footer.yaml b/deploy/charts/discovery-agent/crd_bases/crd.footer.yaml new file mode 100644 index 00000000..e7b91194 --- /dev/null +++ b/deploy/charts/discovery-agent/crd_bases/crd.footer.yaml @@ -0,0 +1,2 @@ +{{ end }} +{{ end }} diff --git a/deploy/charts/discovery-agent/crd_bases/crd.header-without-validations.yaml b/deploy/charts/discovery-agent/crd_bases/crd.header-without-validations.yaml new file mode 100644 index 00000000..ce1d8a36 --- /dev/null +++ b/deploy/charts/discovery-agent/crd_bases/crd.header-without-validations.yaml @@ -0,0 +1,13 @@ +{{/* DO NOT EDIT. Use 'make generate-crds-venconn' to regenerate. */}} +{{- if .Values.venafiConnection.include }} +{{- if (semverCompare "<1.25" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: "venaficonnections.jetstack.io" + annotations: + # This annotation prevents the CRD from being pruned by Helm when this chart + # is deleted. + helm.sh/resource-policy: keep + labels: + {{- include "venafi-connection.labels" . | nindent 4 }} diff --git a/deploy/charts/discovery-agent/crd_bases/crd.header.yaml b/deploy/charts/discovery-agent/crd_bases/crd.header.yaml new file mode 100644 index 00000000..22207680 --- /dev/null +++ b/deploy/charts/discovery-agent/crd_bases/crd.header.yaml @@ -0,0 +1,13 @@ +{{/* DO NOT EDIT. Use 'make generate-crds-venconn' to regenerate. */}} +{{- if .Values.venafiConnection.include }} +{{- if not (semverCompare "<1.25" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: "venaficonnections.jetstack.io" + annotations: + # This annotation prevents the CRD from being pruned by Helm when this chart + # is deleted. + helm.sh/resource-policy: keep + labels: + {{- include "venafi-connection.labels" . | nindent 4 }} diff --git a/deploy/charts/discovery-agent/crd_bases/jetstack.io_venaficonnections.yaml b/deploy/charts/discovery-agent/crd_bases/jetstack.io_venaficonnections.yaml new file mode 100644 index 00000000..9389601d --- /dev/null +++ b/deploy/charts/discovery-agent/crd_bases/jetstack.io_venaficonnections.yaml @@ -0,0 +1,1944 @@ +# DO NOT EDIT: Use 'make generate-crds-venconn' to regenerate. +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: venaficonnections.jetstack.io +spec: + group: jetstack.io + names: + kind: VenafiConnection + listKind: VenafiConnectionList + plural: venaficonnections + shortNames: + - vc + singular: venaficonnection + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VenafiConnection is the Schema for the VenafiConnection API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + allowReferencesFrom: + description: |- + A namespace selector that specifies what namespaces this VenafiConnection + is allowed to be used from. + If not set/ null, the VenafiConnection can only be used within its namespace. + An empty selector ({}) matches all namespaces. + If set to a non-empty selector, the VenafiConnection can only be used from + namespaces that match the selector. This possibly excludes the namespace + the VenafiConnection is in. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + distributedIssuer: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to the Distributed Issuer. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded + in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate + with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] + may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() + <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken + hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP + tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() + == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: The URL to connect to the Distributed Issuer instance. + type: string + required: + - url + type: object + firefly: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to the Distributed Issuer. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded + in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate + with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] + may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() + <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken + hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP + tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() + == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: The URL to connect to the Distributed Issuer instance. + type: string + required: + - url + type: object + ngts: + properties: + jwt: + description: The list of steps to retrieve the JWT that will be + used to connect to the NGTS Data Plane. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded + in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate + with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] + may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() + <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken + hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP + tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() + == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + tsgID: + description: |- + The TSGID of the NGTS instance to connect to. + This is a required field when URL is not set, and is used to construct the default URL in + the format https://.ngts.paloaltonetworks.com + type: string + url: + description: |- + The URL to connect to the NGTS Data Plane. If not set, the default + value https://.ngts.paloaltonetworks.com is used. + type: string + required: + - jwt + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [tsgID url] must be set + rule: '[has(self.tsgID),has(self.url)].filter(x,x==true).size() + == 1' + tpp: + properties: + accessToken: + description: The list of steps to retrieve a TPP access token. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded + in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate + with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] + may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() + <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken + hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP + tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() + == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out by + venafi-connection-lib. + type: string + required: + - accessToken + - url + type: object + vaas: + description: 'Deprecated: The ''vaas'' field is deprecated use the + field called ''vcp'' instead.' + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded + in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate + with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] + may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() + <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken + hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP + tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() + == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded + in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate + with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] + may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() + <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken + hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP + tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() + == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [apiKey accessToken] must + be set + rule: '[has(self.apiKey),has(self.accessToken)].filter(x,x==true).size() + == 1' + vcp: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded + in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate + with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] + may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() + <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken + hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP + tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() + == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded + in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate + with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] + may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() + <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken + hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP + tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() + == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [apiKey accessToken] must + be set + rule: '[has(self.apiKey),has(self.accessToken)].filter(x,x==true).size() + == 1' + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [tpp ngts vcp vaas distributedIssuer + firefly] must be set + rule: '[has(self.tpp),has(self.ngts),has(self.vcp),has(self.vaas),has(self.distributedIssuer),has(self.firefly)].filter(x,x==true).size() + == 1' + status: + properties: + conditions: + description: List of status conditions to indicate the status of a + VenafiConnection. + items: + description: ConnectionCondition contains condition information + for a VenafiConnection. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + lastUpdateTime: + description: lastUpdateTime is the time of the last update to + this condition + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + format: int64 + type: integer + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + type: string + tokenValidUntil: + description: |- + The ValidUntil time of the token used to authenticate with the + Certificate Manager, SaaS. + format: date-time + type: string + type: + description: |- + Type of the condition, should be a combination of the unique name of the + operator and the type of condition. + eg. `VenafiEnhancedIssuerReady` + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/charts/discovery-agent/templates/_venafi-connection.tpl b/deploy/charts/discovery-agent/templates/_venafi-connection.tpl new file mode 100644 index 00000000..07e7fe1c --- /dev/null +++ b/deploy/charts/discovery-agent/templates/_venafi-connection.tpl @@ -0,0 +1,26 @@ +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "venafi-connection.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "venafi-connection.labels" -}} +helm.sh/chart: {{ include "venafi-connection.chart" . }} +{{ include "venafi-connection.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "venafi-connection.selectorLabels" -}} +app.kubernetes.io/name: "venafi-connection" +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/deploy/charts/discovery-agent/templates/deployment.yaml b/deploy/charts/discovery-agent/templates/deployment.yaml index 04abcada..18ec6c51 100644 --- a/deploy/charts/discovery-agent/templates/deployment.yaml +++ b/deploy/charts/discovery-agent/templates/deployment.yaml @@ -91,6 +91,10 @@ spec: - {{ .Values.config.venafiConnection.name | quote }} - --venafi-connection-namespace - {{ .Values.config.venafiConnection.namespace | quote }} + {{- with .Values.venafiConnection.serviceAccountNamespace }} + - --install-namespace + - {{ . | quote }} + {{- end }} {{- else }} - --ngts {{- if and .Values.config.tsgID .Values.config.serverURL }} diff --git a/deploy/charts/discovery-agent/templates/venafi-connection-crd.without-validations.yaml b/deploy/charts/discovery-agent/templates/venafi-connection-crd.without-validations.yaml new file mode 100644 index 00000000..3f28e932 --- /dev/null +++ b/deploy/charts/discovery-agent/templates/venafi-connection-crd.without-validations.yaml @@ -0,0 +1,1788 @@ +{{/* DO NOT EDIT. Use 'make generate-crds-venconn' to regenerate. */}} +{{- if .Values.venafiConnection.include }} +{{- if (semverCompare "<1.25" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: "venaficonnections.jetstack.io" + annotations: + # This annotation prevents the CRD from being pruned by Helm when this chart + # is deleted. + helm.sh/resource-policy: keep + labels: + {{- include "venafi-connection.labels" . | nindent 4 }} +spec: + group: jetstack.io + names: + kind: VenafiConnection + listKind: VenafiConnectionList + plural: venaficonnections + shortNames: + - vc + singular: venaficonnection + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VenafiConnection is the Schema for the VenafiConnection API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + allowReferencesFrom: + description: |- + A namespace selector that specifies what namespaces this VenafiConnection + is allowed to be used from. + If not set/ null, the VenafiConnection can only be used within its namespace. + An empty selector ({}) matches all namespaces. + If set to a non-empty selector, the VenafiConnection can only be used from + namespaces that match the selector. This possibly excludes the namespace + the VenafiConnection is in. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + distributedIssuer: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to the Distributed Issuer. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: The URL to connect to the Distributed Issuer instance. + type: string + required: + - url + type: object + firefly: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to the Distributed Issuer. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: The URL to connect to the Distributed Issuer instance. + type: string + required: + - url + type: object + ngts: + properties: + jwt: + description: The list of steps to retrieve the JWT that will be used to connect to the NGTS Data Plane. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + tsgID: + description: |- + The TSGID of the NGTS instance to connect to. + This is a required field when URL is not set, and is used to construct the default URL in + the format https://.ngts.paloaltonetworks.com + type: string + url: + description: |- + The URL to connect to the NGTS Data Plane. If not set, the default + value https://.ngts.paloaltonetworks.com is used. + type: string + required: + - jwt + type: object + tpp: + properties: + accessToken: + description: The list of steps to retrieve a TPP access token. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out by + venafi-connection-lib. + type: string + required: + - accessToken + - url + type: object + vaas: + description: 'Deprecated: The ''vaas'' field is deprecated use the field called ''vcp'' instead.' + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + vcp: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + type: object + status: + properties: + conditions: + description: List of status conditions to indicate the status of a VenafiConnection. + items: + description: ConnectionCondition contains condition information for a VenafiConnection. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + lastUpdateTime: + description: lastUpdateTime is the time of the last update to this condition + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + format: int64 + type: integer + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + tokenValidUntil: + description: |- + The ValidUntil time of the token used to authenticate with the + Certificate Manager, SaaS. + format: date-time + type: string + type: + description: |- + Type of the condition, should be a combination of the unique name of the + operator and the type of condition. + eg. `VenafiEnhancedIssuerReady` + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{ end }} +{{ end }} diff --git a/deploy/charts/discovery-agent/templates/venafi-connection-crd.yaml b/deploy/charts/discovery-agent/templates/venafi-connection-crd.yaml new file mode 100644 index 00000000..9110a291 --- /dev/null +++ b/deploy/charts/discovery-agent/templates/venafi-connection-crd.yaml @@ -0,0 +1,1848 @@ +{{/* DO NOT EDIT. Use 'make generate-crds-venconn' to regenerate. */}} +{{- if .Values.venafiConnection.include }} +{{- if not (semverCompare "<1.25" .Capabilities.KubeVersion.GitVersion) }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: "venaficonnections.jetstack.io" + annotations: + # This annotation prevents the CRD from being pruned by Helm when this chart + # is deleted. + helm.sh/resource-policy: keep + labels: + {{- include "venafi-connection.labels" . | nindent 4 }} +spec: + group: jetstack.io + names: + kind: VenafiConnection + listKind: VenafiConnectionList + plural: venaficonnections + shortNames: + - vc + singular: venaficonnection + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VenafiConnection is the Schema for the VenafiConnection API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + allowReferencesFrom: + description: |- + A namespace selector that specifies what namespaces this VenafiConnection + is allowed to be used from. + If not set/ null, the VenafiConnection can only be used within its namespace. + An empty selector ({}) matches all namespaces. + If set to a non-empty selector, the VenafiConnection can only be used from + namespaces that match the selector. This possibly excludes the namespace + the VenafiConnection is in. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + distributedIssuer: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to the Distributed Issuer. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: The URL to connect to the Distributed Issuer instance. + type: string + required: + - url + type: object + firefly: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to the Distributed Issuer. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: The URL to connect to the Distributed Issuer instance. + type: string + required: + - url + type: object + ngts: + properties: + jwt: + description: The list of steps to retrieve the JWT that will be used to connect to the NGTS Data Plane. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + tsgID: + description: |- + The TSGID of the NGTS instance to connect to. + This is a required field when URL is not set, and is used to construct the default URL in + the format https://.ngts.paloaltonetworks.com + type: string + url: + description: |- + The URL to connect to the NGTS Data Plane. If not set, the default + value https://.ngts.paloaltonetworks.com is used. + type: string + required: + - jwt + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [tsgID url] must be set + rule: '[has(self.tsgID),has(self.url)].filter(x,x==true).size() == 1' + tpp: + properties: + accessToken: + description: The list of steps to retrieve a TPP access token. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out by + venafi-connection-lib. + type: string + required: + - accessToken + - url + type: object + vaas: + description: 'Deprecated: The ''vaas'' field is deprecated use the field called ''vcp'' instead.' + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [apiKey accessToken] must be set + rule: '[has(self.apiKey),has(self.accessToken)].filter(x,x==true).size() == 1' + vcp: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + Certificate Manager, SaaS. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + privateKeyJWT: + description: |- + PrivateKeyJWT is a SecretSource step that generates a JWT token signed by the input private key. + This JWT can typically be used to authenticate to the NGTS Data Plane. + properties: + clientID: + description: ClientID is the clientID that will be encoded in the "iss" and "sub" claims of the generated JWT. + type: string + required: + - clientID + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intended audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientID: + description: ClientID is the clientID used to authenticate with TPP. + type: string + clientId: + description: 'Deprecated: use clientID instead.' + type: string + url: + description: |- + The URL to connect to the Certificate Manager, Self-Hosted instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + x-kubernetes-validations: + - message: at most one of the fields in [clientID clientId] may be set + rule: '[has(self.clientID),has(self.clientId)].filter(x,x==true).size() <= 1' + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the + Certificate Manager, SaaS. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with Certificate Manager, SaaS. + type: string + type: object + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [secret serviceAccountToken hashicorpVaultOAuth hashicorpVaultSecret hashicorpVaultLDAP tppOAuth vcpOAuth privateKeyJWT] must be set + rule: '[has(self.secret),has(self.serviceAccountToken),has(self.hashicorpVaultOAuth),has(self.hashicorpVaultSecret),has(self.hashicorpVaultLDAP),has(self.tppOAuth),has(self.vcpOAuth),has(self.privateKeyJWT)].filter(x,x==true).size() == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Certificate Manager, SaaS instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [apiKey accessToken] must be set + rule: '[has(self.apiKey),has(self.accessToken)].filter(x,x==true).size() == 1' + type: object + x-kubernetes-validations: + - message: exactly one of the fields in [tpp ngts vcp vaas distributedIssuer firefly] must be set + rule: '[has(self.tpp),has(self.ngts),has(self.vcp),has(self.vaas),has(self.distributedIssuer),has(self.firefly)].filter(x,x==true).size() == 1' + status: + properties: + conditions: + description: List of status conditions to indicate the status of a VenafiConnection. + items: + description: ConnectionCondition contains condition information for a VenafiConnection. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + lastUpdateTime: + description: lastUpdateTime is the time of the last update to this condition + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + format: int64 + type: integer + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + tokenValidUntil: + description: |- + The ValidUntil time of the token used to authenticate with the + Certificate Manager, SaaS. + format: date-time + type: string + type: + description: |- + Type of the condition, should be a combination of the unique name of the + operator and the type of condition. + eg. `VenafiEnhancedIssuerReady` + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{ end }} +{{ end }} diff --git a/deploy/charts/discovery-agent/templates/venafi-connection-rbac.yaml b/deploy/charts/discovery-agent/templates/venafi-connection-rbac.yaml new file mode 100644 index 00000000..5327bf37 --- /dev/null +++ b/deploy/charts/discovery-agent/templates/venafi-connection-rbac.yaml @@ -0,0 +1,47 @@ +{{- if .Values.venafiConnection.include }} +{{- $saNamespace := .Values.venafiConnection.serviceAccountNamespace | default $.Release.Namespace }} +# The 'venafi-connection' service account is used by multiple +# controllers. When configuring which resources a VenafiConnection +# can access, the RBAC rules you create manually must point to this SA. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: venafi-connection + namespace: {{ $saNamespace | quote }} + labels: + {{- include "venafi-connection.labels" $ | nindent 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: venafi-connection-role + labels: + {{- include "venafi-connection.labels" $ | nindent 4 }} +rules: +- apiGroups: [ "" ] + resources: [ "namespaces" ] + verbs: [ "get", "list", "watch" ] + +- apiGroups: [ "jetstack.io" ] + resources: [ "venaficonnections" ] + verbs: [ "get", "list", "watch" ] + +- apiGroups: [ "jetstack.io" ] + resources: [ "venaficonnections/status" ] + verbs: [ "get", "patch" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: venafi-connection-rolebinding + labels: + {{- include "venafi-connection.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: venafi-connection-role +subjects: +- kind: ServiceAccount + name: venafi-connection + namespace: {{ $saNamespace | quote }} +{{- end }} diff --git a/deploy/charts/discovery-agent/templates/venafi-rbac.yaml b/deploy/charts/discovery-agent/templates/venafi-rbac.yaml new file mode 100644 index 00000000..35cf8792 --- /dev/null +++ b/deploy/charts/discovery-agent/templates/venafi-rbac.yaml @@ -0,0 +1,31 @@ +{{- if .Values.config.venafiConnection.enabled }} +{{- $saNamespace := .Values.venafiConnection.serviceAccountNamespace | default $.Release.Namespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "discovery-agent.fullname" . }}-impersonate-role + namespace: {{ $saNamespace | quote }} + labels: + {{- include "discovery-agent.labels" . | nindent 4 }} +rules: +- apiGroups: [ "" ] + resources: [ "serviceaccounts" ] + verbs: [ "impersonate" ] + resourceNames: [ "venafi-connection" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "discovery-agent.fullname" . }}-impersonate-rolebinding + namespace: {{ $saNamespace | quote }} + labels: + {{- include "discovery-agent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "discovery-agent.fullname" . }}-impersonate-role +subjects: +- kind: ServiceAccount + name: {{ include "discovery-agent.serviceAccountName" . }} + namespace: {{ $.Release.Namespace | quote }} +{{- end }} diff --git a/deploy/charts/discovery-agent/tests/deployment_test.yaml b/deploy/charts/discovery-agent/tests/deployment_test.yaml index 06def8c2..21f7969e 100644 --- a/deploy/charts/discovery-agent/tests/deployment_test.yaml +++ b/deploy/charts/discovery-agent/tests/deployment_test.yaml @@ -501,3 +501,54 @@ tests: asserts: - isKind: of: Deployment + + # When venafiConnection.serviceAccountNamespace is set in VenafiConnection + # mode, the chart should pass --install-namespace to the agent so it knows + # which namespace holds the 'venafi-connection' service account used for + # token issuance / credential reads. + - it: VenafiConnection mode passes --install-namespace when serviceAccountNamespace is set + set: + config.clusterName: test-cluster + config.venafiConnection.enabled: true + venafiConnection.serviceAccountNamespace: venafi + template: deployment.yaml + asserts: + - isKind: + of: Deployment + - contains: + path: spec.template.spec.containers[0].args + content: --install-namespace + - contains: + path: spec.template.spec.containers[0].args + content: venafi + + # When venafiConnection.serviceAccountNamespace is unset (the default), the + # --install-namespace flag must NOT be passed; the agent falls back to + # POD_NAMESPACE in that case. + - it: VenafiConnection mode omits --install-namespace when serviceAccountNamespace is unset + set: + config.clusterName: test-cluster + config.venafiConnection.enabled: true + template: deployment.yaml + asserts: + - isKind: + of: Deployment + - notContains: + path: spec.template.spec.containers[0].args + content: --install-namespace + + # --install-namespace is only emitted in VenafiConnection mode. In keypair + # (NGTS/TSG) mode it must be omitted even if venafiConnection.serviceAccountNamespace + # is set, since that value only applies to the VenafiConnection flow. + - it: keypair mode omits --install-namespace even when serviceAccountNamespace is set + set: + config.clusterName: test-cluster + config.tsgID: "123456" + venafiConnection.serviceAccountNamespace: venafi + template: deployment.yaml + asserts: + - isKind: + of: Deployment + - notContains: + path: spec.template.spec.containers[0].args + content: --install-namespace diff --git a/deploy/charts/discovery-agent/values.schema.json b/deploy/charts/discovery-agent/values.schema.json index 2cfaca99..eb48d29b 100644 --- a/deploy/charts/discovery-agent/values.schema.json +++ b/deploy/charts/discovery-agent/values.schema.json @@ -78,6 +78,9 @@ "tolerations": { "$ref": "#/$defs/helm-values.tolerations" }, + "venafiConnection": { + "$ref": "#/$defs/helm-values.venafiConnection" + }, "volumeMounts": { "$ref": "#/$defs/helm-values.volumeMounts" }, @@ -512,6 +515,27 @@ "items": {}, "type": "array" }, + "helm-values.venafiConnection": { + "additionalProperties": false, + "properties": { + "include": { + "$ref": "#/$defs/helm-values.venafiConnection.include" + }, + "serviceAccountNamespace": { + "$ref": "#/$defs/helm-values.venafiConnection.serviceAccountNamespace" + } + }, + "type": "object" + }, + "helm-values.venafiConnection.include": { + "default": false, + "description": "When set to false, the rendered output does not contain the VenafiConnection CRDs and RBAC. This is useful for when the Venafi Connection resoures are already installed separately.", + "type": "boolean" + }, + "helm-values.venafiConnection.serviceAccountNamespace": { + "description": "The namespace in which the 'venafi-connection' service account lives. This is the service account that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace in which the controller is running)", + "type": "string" + }, "helm-values.volumeMounts": { "default": [], "description": "Additional volumeMounts on the output Deployment definition.", diff --git a/deploy/charts/discovery-agent/values.yaml b/deploy/charts/discovery-agent/values.yaml index b76acade..a7ef2f0f 100644 --- a/deploy/charts/discovery-agent/values.yaml +++ b/deploy/charts/discovery-agent/values.yaml @@ -1,3 +1,18 @@ +# +docs:section=Venafi Connection + +venafiConnection: + # When set to false, the rendered output does not contain the VenafiConnection CRDs + # and RBAC. This is useful for when the Venafi Connection resoures are already installed separately. + include: false + + # The namespace in which the 'venafi-connection' service account lives. This is the service account + # that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace + # in which the controller is running) + # +docs:property + # serviceAccountNamespace: venafi + +# +docs:section=Discovery Agent + # Configuration for the Discovery Agent config: # The TSG (Tenant Service Group) ID to use when connecting to SCM. diff --git a/klone.yaml b/klone.yaml index 43d7766f..79241e87 100644 --- a/klone.yaml +++ b/klone.yaml @@ -10,55 +10,55 @@ targets: - folder_name: generate-verify repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/generate-verify - folder_name: go repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/go - folder_name: helm repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/helm - folder_name: help repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/help - folder_name: kind repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/kind - folder_name: klone repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/klone - folder_name: licenses repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/licenses - folder_name: oci-build repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/oci-build - folder_name: oci-publish repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/oci-publish - folder_name: repository-base repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/repository-base - folder_name: tools repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 42a2144a693992d84601456410428735d96f49cf + repo_hash: aef3f64fa51b7c1097eaa4102d325b0a08be938c repo_path: modules/tools diff --git a/make/02_mod.mk b/make/02_mod.mk index 97733e13..e18e6973 100644 --- a/make/02_mod.mk +++ b/make/02_mod.mk @@ -31,7 +31,7 @@ $(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml: go.mod | echo "# DO NOT EDIT: Use 'make generate-crds-venconn' to regenerate." >$@ $(GO) run ./make/connection_crd >>$@ -$(helm_chart_source_dir)/templates/venafi-connection-crd.without-validations.yaml: $(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml $(helm_chart_source_dir)/crd_bases/crd.header.yaml $(helm_chart_source_dir)/crd_bases/crd.footer.yaml | $(NEEDS_YQ) +$(helm_chart_source_dir)/templates/venafi-connection-crd.without-validations.yaml: $(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml $(helm_chart_source_dir)/crd_bases/crd.header-without-validations.yaml $(helm_chart_source_dir)/crd_bases/crd.footer.yaml | $(NEEDS_YQ) cat $(helm_chart_source_dir)/crd_bases/crd.header-without-validations.yaml >$@ $(YQ) -I2 '{"spec": .spec}' $< | $(YQ) 'del(.. | ."x-kubernetes-validations"?) | del(.metadata.creationTimestamp)' | grep -v "DO NOT EDIT" >>$@ cat $(helm_chart_source_dir)/crd_bases/crd.footer.yaml >>$@ @@ -41,10 +41,7 @@ $(helm_chart_source_dir)/templates/venafi-connection-crd.yaml: $(helm_chart_sour $(YQ) -I2 '{"spec": .spec}' $< | $(YQ) 'del(.metadata.creationTimestamp)' | grep -v "DO NOT EDIT" >>$@ cat $(helm_chart_source_dir)/crd_bases/crd.footer.yaml >>$@ -# The generate-crds target doesn't need to be run anymore when running -# "generate". Let's replace it with "generate-crds-venconn". -shared_generate_targets := $(filter-out generate-crds,$(shared_generate_targets)) -shared_generate_targets += generate-crds-venconn +shared_generate_targets_dirty += generate-crds-venconn .PHONY: test-e2e-gke ## Run a basic E2E test on a GKE cluster diff --git a/make/_shared/generate-verify/02_mod.mk b/make/_shared/generate-verify/02_mod.mk index f0677298..d4efdd8b 100644 --- a/make/_shared/generate-verify/02_mod.mk +++ b/make/_shared/generate-verify/02_mod.mk @@ -12,12 +12,20 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Literal newline so the $(foreach)es below emit one $(MAKE) per recipe line. +# Without this the dirty list expands to "make a make b make c" on a single +# line, which under -j builds every goal in one parallel invocation. +define _generate_verify_newline + + +endef + .PHONY: generate ## Generate all generate targets. ## @category [shared] Generate/ Verify generate: $$(shared_generate_targets) @echo "The following targets cannot be run simultaneously with each other or other generate scripts:" - $(foreach TARGET,$(shared_generate_targets_dirty), $(MAKE) $(TARGET)) + $(foreach TARGET,$(shared_generate_targets_dirty),$(MAKE) $(TARGET)$(_generate_verify_newline)) verify_script := $(dir $(lastword $(MAKEFILE_LIST)))/util/verify.sh @@ -36,4 +44,4 @@ verify_targets_dirty = $(sort $(verify_generated_targets_dirty) $(shared_verify_ ## @category [shared] Generate/ Verify verify: $$(verify_targets) @echo "The following targets create temporary files in the current directory, that is why they have to be run last:" - $(foreach TARGET,$(verify_targets_dirty), $(MAKE) $(TARGET)) + $(foreach TARGET,$(verify_targets_dirty),$(MAKE) $(TARGET)$(_generate_verify_newline)) diff --git a/make/ark/02_mod.mk b/make/ark/02_mod.mk index 829e9900..73b7d5e7 100644 --- a/make/ark/02_mod.mk +++ b/make/ark/02_mod.mk @@ -51,7 +51,7 @@ ark-verify: helm_chart_source_dir=deploy/charts/disco-agent \ helm_chart_image_name=$(ARK_CHART) -shared_verify_targets += ark-verify +shared_verify_targets_dirty += ark-verify .PHONY: ark-generate ## Generate Helm chart documentation and schema diff --git a/make/ngts/02_mod.mk b/make/ngts/02_mod.mk index e2e69bc0..9f8124f9 100644 --- a/make/ngts/02_mod.mk +++ b/make/ngts/02_mod.mk @@ -51,16 +51,16 @@ ngts-verify: helm_chart_source_dir=deploy/charts/discovery-agent \ helm_chart_image_name=$(NGTS_CHART) -shared_verify_targets += ngts-verify +shared_verify_targets_dirty += ngts-verify .PHONY: ngts-generate -## Generate Helm chart documentation and schema +## Generate Helm chart documentation, schema and the VenafiConnection CRD ## @category NGTS Discovery Agent ngts-generate: - $(MAKE) generate-helm-docs generate-helm-schema \ + $(MAKE) generate-helm-docs generate-helm-schema generate-crds-venconn \ helm_chart_source_dir=deploy/charts/discovery-agent -shared_generate_targets += ngts-generate +shared_generate_targets_dirty += ngts-generate .PHONY: list-discovery-resources ## Dump all discovery-agent k8s-dynamic resource types to a markdown list