/
awsidentity_types.go
184 lines (154 loc) · 7.05 KB
/
awsidentity_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha3
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type AWSClusterIdentitySpec struct {
// AllowedNamespaces is used to identify which namespaces are allowed to use the identity from.
// Namespaces can be selected either using an array of namespaces or with label selector.
// An empty allowedNamespaces object indicates that AWSClusters can use this identity from any namespace.
// If this object is nil, no namespaces will be allowed (default behaviour, if this field is not provided)
// A namespace should be either in the NamespaceList or match with Selector to use the identity.
//
// +optional
// +nullable
AllowedNamespaces *AllowedNamespaces `json:"allowedNamespaces"`
}
type AllowedNamespaces struct {
// An nil or empty list indicates that AWSClusters cannot use the identity from any namespace.
//
// +optional
// +nullable
NamespaceList []string `json:"list"`
// AllowedNamespaces is a selector of namespaces that AWSClusters can
// use this ClusterPrincipal from. This is a standard Kubernetes LabelSelector,
// a label query over a set of resources. The result of matchLabels and
// matchExpressions are ANDed.
//
// An empty selector indicates that AWSClusters cannot use this
// AWSClusterIdentity from any namespace.
// +optional
Selector metav1.LabelSelector `json:"selector"`
}
type AWSRoleSpec struct {
// The Amazon Resource Name (ARN) of the role to assume.
RoleArn string `json:"roleARN"`
// An identifier for the assumed role session
SessionName string `json:"sessionName,omitempty"`
// The duration, in seconds, of the role session before it is renewed.
// +kubebuilder:validation:Minimum:=900
// +kubebuilder:validation:Maximum:=43200
DurationSeconds int32 `json:"durationSeconds,omitempty"`
// An IAM policy as a JSON-encoded string that you want to use as an inline session policy.
InlinePolicy string `json:"inlinePolicy,omitempty"`
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
// to use as managed session policies.
// The policies must exist in the same account as the role.
PolicyARNs []string `json:"policyARNs,omitempty"`
}
// +kubebuilder:object:root=true
// +kubebuilder:resource:path=awsclusterstaticidentities,scope=Cluster,categories=cluster-api
// +kubebuilder:storageversion
// AWSClusterStaticIdentity is the Schema for the awsclusterstaticidentities API
// It represents a reference to an AWS access key ID and secret access key, stored in a secret.
type AWSClusterStaticIdentity struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for this AWSClusterStaticIdentity
Spec AWSClusterStaticIdentitySpec `json:"spec,omitempty"`
}
// +kubebuilder:object:root=true
// AWSClusterStaticIdentityList contains a list of AWSClusterStaticIdentity
type AWSClusterStaticIdentityList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []AWSClusterStaticIdentity `json:"items"`
}
type AWSClusterStaticIdentitySpec struct {
AWSClusterIdentitySpec `json:",inline"`
// Reference to a secret containing the credentials. The secret should
// contain the following data keys:
// AccessKeyID: AKIAIOSFODNN7EXAMPLE
// SecretAccessKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
// SessionToken: Optional
SecretRef corev1.SecretReference `json:"secretRef"`
}
// +kubebuilder:object:root=true
// +kubebuilder:resource:path=awsclusterroleidentities,scope=Cluster,categories=cluster-api
// +kubebuilder:storageversion
// AWSClusterRoleIdentity is the Schema for the awsclusterroleidentities API
// It is used to assume a role using the provided sourceRef.
type AWSClusterRoleIdentity struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for this AWSClusterRoleIdentity.
Spec AWSClusterRoleIdentitySpec `json:"spec,omitempty"`
}
// +kubebuilder:object:root=true
// AWSClusterRoleIdentityList contains a list of AWSClusterRoleIdentity
type AWSClusterRoleIdentityList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []AWSClusterRoleIdentity `json:"items"`
}
type AWSClusterRoleIdentitySpec struct {
AWSClusterIdentitySpec `json:",inline"`
AWSRoleSpec `json:",inline"`
// A unique identifier that might be required when you assume a role in another account.
// If the administrator of the account to which the role belongs provided you with an
// external ID, then provide that value in the ExternalId parameter. This value can be
// any string, such as a passphrase or account number. A cross-account role is usually
// set up to trust everyone in an account. Therefore, the administrator of the trusting
// account might send an external ID to the administrator of the trusted account. That
// way, only someone with the ID can assume the role, rather than everyone in the
// account. For more information about the external ID, see How to Use an External ID
// When Granting Access to Your AWS Resources to a Third Party in the IAM User Guide.
// +optional
ExternalID string `json:"externalID,omitempty"`
// SourceIdentityRef is a reference to another identity which will be chained to do
// role assumption. All identity types are accepted.
SourceIdentityRef *AWSIdentityReference `json:"sourceIdentityRef,omitempty"`
}
// +kubebuilder:object:root=true
// +kubebuilder:resource:path=awsclustercontrolleridentities,scope=Cluster,categories=cluster-api
// +kubebuilder:storageversion
// AWSClusterControllerIdentity is the Schema for the awsclustercontrolleridentities API
// It is used to grant access to use Cluster API Provider AWS Controller credentials.
type AWSClusterControllerIdentity struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for this AWSClusterControllerIdentity.
Spec AWSClusterControllerIdentitySpec `json:"spec,omitempty"`
}
// +kubebuilder:object:root=true
// AWSClusterControllerIdentityList contains a list of AWSClusterControllerIdentity
type AWSClusterControllerIdentityList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []AWSClusterControllerIdentity `json:"items"`
}
type AWSClusterControllerIdentitySpec struct {
AWSClusterIdentitySpec `json:",inline"`
}
func init() {
SchemeBuilder.Register(
&AWSClusterStaticIdentity{},
&AWSClusterStaticIdentityList{},
&AWSClusterRoleIdentity{},
&AWSClusterRoleIdentityList{},
&AWSClusterControllerIdentity{},
&AWSClusterControllerIdentityList{},
)
}