Added Injected Identity Source

.github/workflows/backport.yml

@@ -0,0 +1,34 @@
+name: Backport
+
+on:
+  # NOTE(negz): This is a risky target, but we run this action only when and if
+  # a PR is closed, then filter down to specifically merged PRs. We also don't
+  # invoke any scripts, etc from within the repo. I believe the fact that we'll
+  # be able to review PRs before this runs makes this fairly safe.
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+  pull_request_target:
+    types: [closed]
+  # See also commands.yml for the /backport triggered variant of this workflow.
+
+jobs:
+  # NOTE(negz): I tested many backport GitHub actions before landing on this
+  # one. Many do not support merge commits, or do not support pull requests with
+  # more than one commit. This one does. It also handily links backport PRs with
+  # new PRs, and provides commentary and instructions when it can't backport.
+  # The main gotchas with this action are that it _only_ supports merge commits,
+  # and that PRs _must_ be labelled before they're merged to trigger a backport.
+  open-pr:
+    runs-on: ubuntu-18.04
+    if: github.event.pull_request.merged
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Open Backport PR
+        uses: zeebe-io/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_workspace: ${{ github.workspace }}
+          version: v0.0.4

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.16'
+  GO_VERSION: '1.17'
   GOLANGCI_VERSION: 'v1.31'
   DOCKER_BUILDX_VERSION: 'v0.4.2'
 

.github/workflows/commands.yml

@@ -0,0 +1,92 @@
+name: Comment Commands
+
+on: issue_comment
+
+jobs:
+  points:
+    runs-on: ubuntu-18.04
+    if: startsWith(github.event.comment.body, '/points')
+
+    steps:
+    - name: Extract Command
+      id: command
+      uses: xt0rted/slash-command-action@v1
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        command: points
+        reaction: "true"
+        reaction-type: "eyes"
+        allow-edits: "false"
+        permission-level: write
+    - name: Handle Command
+      uses: actions/github-script@v4
+      env:
+        POINTS: ${{ steps.command.outputs.command-arguments }}
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          const points = process.env.POINTS
+
+          if (isNaN(parseInt(points))) {
+            console.log("Malformed command - expected '/points <int>'")
+            github.reactions.createForIssueComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: context.payload.comment.id,
+              content: "confused"
+            })
+            return
+          }
+          const label = "points/" + points
+
+          // Delete our needs-points-label label.
+          try {
+            await github.issues.deleteLabel({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              name: ['needs-points-label']
+            })
+            console.log("Deleted 'needs-points-label' label.")
+          }
+          catch(e) {
+            console.log("Label 'needs-points-label' probably didn't exist.")
+          }
+
+          // Add our points label.
+          github.issues.addLabels({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            labels: [label]
+          })
+          console.log("Added '" + label + "' label.")
+
+  # NOTE(negz): See also backport.yml, which is the variant that triggers on PR
+  # merge rather than on comment.
+  backport:
+    runs-on: ubuntu-18.04
+    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/backport')
+    steps:
+    - name: Extract Command
+      id: command
+      uses: xt0rted/slash-command-action@v1
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        command: backport
+        reaction: "true"
+        reaction-type: "eyes"
+        allow-edits: "false"
+        permission-level: write
+
+    - name: Checkout
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
+
+    - name: Open Backport PR
+      uses: zeebe-io/[email protected]
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_workspace: ${{ github.workspace }}
+        version: v0.0.4

Makefile

@@ -57,16 +57,6 @@ cobertura:
 		grep -v zz_generated.deepcopy | \
 		$(GOCOVER_COBERTURA) > $(GO_TEST_OUTPUT)/cobertura-coverage.xml
 
-# Ensure a PR is ready for review.
-reviewable: generate lint
-	@go mod tidy
-
-# Ensure branch is clean.
-check-diff: reviewable
-	@$(INFO) checking that branch is clean
-	@git diff --quiet || $(FAIL)
-	@$(OK) branch is clean
-
 # Update the submodules, such as the common build scripts.
 submodules:
 	@git submodule sync

OWNERS.md

@@ -12,4 +12,5 @@ guidelines and responsibilities for the steering committee and maintainers.
 
 * Nic Cope <[email protected]> ([negz](https://github.com/negz))
 * Daniel Mangum <[email protected]> ([hasheddan](https://github.com/hasheddan))
-* Muvaffak Onus <[email protected]> ([muvaf](https://github.com/muvaf))
+* Muvaffak Onuş <[email protected]> ([muvaf](https://github.com/muvaf))
+* Hasan Türken <[email protected]> ([turkenh](https://github.com/turkenh))

apis/common/v1/condition_test.go

@@ -20,9 +20,10 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/crossplane/crossplane-runtime/pkg/errors"
 )
 
 func TestConditionEqual(t *testing.T) {

apis/common/v1/connection_details.go

@@ -0,0 +1,226 @@
+/*
+Copyright 2019 The Crossplane Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+const (
+	// LabelKeyOwnerUID is the UID of the owner resource of a connection secret.
+	// Kubernetes provides owner/controller references to track ownership of
+	// resources including secrets, however, this would only work for in cluster
+	// k8s secrets. We opted to use a label for this purpose to be consistent
+	// across Secret Store implementations and expect all to support
+	// setting/getting labels.
+	LabelKeyOwnerUID = "secret.crossplane.io/owner-uid"
+)
+
+// PublishConnectionDetailsTo represents configuration of a connection secret.
+type PublishConnectionDetailsTo struct {
+	// Name is the name of the connection secret.
+	Name string `json:"name"`
+
+	// Metadata is the metadata for connection secret.
+	// +optional
+	Metadata *ConnectionSecretMetadata `json:"metadata,omitempty"`
+
+	// SecretStoreConfigRef specifies which secret store config should be used
+	// for this ConnectionSecret.
+	// +optional
+	// +kubebuilder:default={"name": "default"}
+	SecretStoreConfigRef *Reference `json:"configRef,omitempty"`
+}
+
+// ConnectionSecretMetadata represents metadata of a connection secret.
+// Labels are used to track ownership of connection secrets and has to be
+// supported for any secret store implementation.
+type ConnectionSecretMetadata struct {
+	// Labels are the labels/tags to be added to connection secret.
+	// - For Kubernetes secrets, this will be used as "metadata.labels".
+	// - It is up to Secret Store implementation for others store types.
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+	// Annotations are the annotations to be added to connection secret.
+	// - For Kubernetes secrets, this will be used as "metadata.annotations".
+	// - It is up to Secret Store implementation for others store types.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+	// Type is the SecretType for the connection secret.
+	// - Only valid for Kubernetes Secret Stores.
+	// +optional
+	Type *corev1.SecretType `json:"type,omitempty"`
+}
+
+// SetOwnerUID sets owner object uid label.
+func (in *ConnectionSecretMetadata) SetOwnerUID(uid types.UID) {
+	if in.Labels == nil {
+		in.Labels = map[string]string{}
+	}
+	in.Labels[LabelKeyOwnerUID] = string(uid)
+}
+
+// GetOwnerUID gets owner object uid.
+func (in *ConnectionSecretMetadata) GetOwnerUID() string {
+	if u, ok := in.Labels[LabelKeyOwnerUID]; ok {
+		return u
+	}
+	return ""
+}
+
+// SecretStoreType represents a secret store type.
+type SecretStoreType string
+
+const (
+	// SecretStoreKubernetes indicates that secret store type is
+	// Kubernetes. In other words, connection secrets will be stored as K8s
+	// Secrets.
+	SecretStoreKubernetes SecretStoreType = "Kubernetes"
+
+	// SecretStoreVault indicates that secret store type is Vault.
+	SecretStoreVault SecretStoreType = "Vault"
+)
+
+// SecretStoreConfig represents configuration of a Secret Store.
+type SecretStoreConfig struct {
+	// Type configures which secret store to be used. Only the configuration
+	// block for this store will be used and others will be ignored if provided.
+	// Default is Kubernetes.
+	// +optional
+	// +kubebuilder:default=Kubernetes
+	Type *SecretStoreType `json:"type,omitempty"`
+
+	// DefaultScope used for scoping secrets for "cluster-scoped" resources.
+	// If store type is "Kubernetes", this would mean the default namespace to
+	// store connection secrets for cluster scoped resources.
+	// In case of "Vault", this would be used as the default parent path.
+	// Typically, should be set as Crossplane installation namespace.
+	DefaultScope string `json:"defaultScope"`
+
+	// Kubernetes configures a Kubernetes secret store.
+	// If the "type" is "Kubernetes" but no config provided, in cluster config
+	// will be used.
+	// +optional
+	Kubernetes *KubernetesSecretStoreConfig `json:"kubernetes,omitempty"`
+
+	// Vault configures a Vault secret store.
+	// +optional
+	Vault *VaultSecretStoreConfig `json:"vault,omitempty"`
+}
+
+// KubernetesAuthConfig required to authenticate to a K8s API. It expects
+// a "kubeconfig" file to be provided.
+type KubernetesAuthConfig struct {
+	// Source of the credentials.
+	// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
+	Source CredentialsSource `json:"source"`
+
+	// CommonCredentialSelectors provides common selectors for extracting
+	// credentials.
+	CommonCredentialSelectors `json:",inline"`
+}
+
+// KubernetesSecretStoreConfig represents the required configuration
+// for a Kubernetes secret store.
+type KubernetesSecretStoreConfig struct {
+	// Credentials used to connect to the Kubernetes API.
+	Auth KubernetesAuthConfig `json:"auth"`
+
+	// TODO(turkenh): Support additional identities like
+	// https://github.com/crossplane-contrib/provider-kubernetes/blob/4d722ef914e6964e80e190317daca9872ae98738/apis/v1alpha1/types.go#L34
+}
+
+// VaultAuthMethod represent a Vault authentication method.
+// https://www.vaultproject.io/docs/auth
+type VaultAuthMethod string
+
+const (
+	// VaultAuthToken indicates that "Token Auth" will be used to
+	// authenticate to Vault.
+	// https://www.vaultproject.io/docs/auth/token
+	VaultAuthToken VaultAuthMethod = "Token"
+)
+
+// VaultAuthTokenConfig represents configuration for Vault Token Auth Method.
+// https://www.vaultproject.io/docs/auth/token
+type VaultAuthTokenConfig struct {
+	// Source of the credentials.
+	// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
+	Source CredentialsSource `json:"source"`
+
+	// CommonCredentialSelectors provides common selectors for extracting
+	// credentials.
+	CommonCredentialSelectors `json:",inline"`
+}
+
+// VaultAuthConfig required to authenticate to a Vault API.
+type VaultAuthConfig struct {
+	// Method configures which auth method will be used.
+	Method VaultAuthMethod `json:"method"`
+	// Token configures Token Auth for Vault.
+	// +optional
+	Token *VaultAuthTokenConfig `json:"token,omitempty"`
+}
+
+// VaultCABundleConfig represents configuration for configuring a CA bundle.
+type VaultCABundleConfig struct {
+	// Source of the credentials.
+	// +kubebuilder:validation:Enum=None;Secret;Environment;Filesystem
+	Source CredentialsSource `json:"source"`
+
+	// CommonCredentialSelectors provides common selectors for extracting
+	// credentials.
+	CommonCredentialSelectors `json:",inline"`
+}
+
+// VaultKVVersion represent API version of the Vault KV engine
+// https://www.vaultproject.io/docs/secrets/kv
+type VaultKVVersion string
+
+const (
+	// VaultKVVersionV1 indicates that Secret API is KV Secrets Engine Version 1
+	// https://www.vaultproject.io/docs/secrets/kv/kv-v1
+	VaultKVVersionV1 VaultKVVersion = "v1"
+
+	// VaultKVVersionV2 indicates that Secret API is KV Secrets Engine Version 2
+	// https://www.vaultproject.io/docs/secrets/kv/kv-v2
+	VaultKVVersionV2 VaultKVVersion = "v2"
+)
+
+// VaultSecretStoreConfig represents the required configuration for a Vault
+// secret store.
+type VaultSecretStoreConfig struct {
+	// Server is the url of the Vault server, e.g. "https://vault.acme.org"
+	Server string `json:"server"`
+
+	// MountPath is the mount path of the KV secrets engine.
+	MountPath string `json:"mountPath"`
+
+	// Version of the KV Secrets engine of Vault.
+	// https://www.vaultproject.io/docs/secrets/kv
+	// +optional
+	// +kubebuilder:default=v2
+	Version *VaultKVVersion `json:"version,omitempty"`
+
+	// CABundle configures CA bundle for Vault Server.
+	// +optional
+	CABundle *VaultCABundleConfig `json:"caBundle,omitempty"`
+
+	// Auth configures an authentication method for Vault.
+	Auth VaultAuthConfig `json:"auth"`
+}