From c5de9254658d5b2df1673970a3fd40c19ee309b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 12 Aug 2024 22:06:04 +0200 Subject: [PATCH] secretless: add yq, envtest binaries, and venaficonnections.yaml --- .gitignore | 1 + Makefile | 70 +- .../jetstack.io_venaficonnections.yaml | 1199 +++++++++++++++++ ...fi-connection-crd.without-validations.yaml | 1118 +++++++++++++++ .../templates/venafi-connection-crd.yaml | 1142 ++++++++++++++++ make/connection_crd/main.go | 13 + make/tools.mk | 451 +++++++ make/util/checkhash.sh | 20 + make/util/hash.sh | 8 + make/util/verify.sh | 50 + 10 files changed, 4070 insertions(+), 2 deletions(-) create mode 100644 deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml create mode 100644 deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml create mode 100644 deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml create mode 100644 make/connection_crd/main.go create mode 100644 make/tools.mk create mode 100755 make/util/checkhash.sh create mode 100755 make/util/hash.sh create mode 100755 make/util/verify.sh diff --git a/.gitignore b/.gitignore index 834d55b0..17966351 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ predicate.json *.pub *.tgz +_bin diff --git a/Makefile b/Makefile index 280ed9c2..0ae18a2e 100644 --- a/Makefile +++ b/Makefile @@ -48,8 +48,8 @@ build: install: cd $(ROOT_DIR) && $(GO_INSTALL) -test: - cd $(ROOT_DIR) && go test ./... +test: _bin/tools/etcd _bin/tools/kube-apiserver + cd $(ROOT_DIR) && KUBEBUILDER_ASSETS=$(ROOT_DIR)/_bin/tools go test ./pkg/client/ vet: cd $(ROOT_DIR) && go vet ./... @@ -142,3 +142,69 @@ ci-build: ci-test build build-docker-image build-all-platforms bundle-all-platfo ci-publish: ci-build push-docker-image echo "ci-publish is going to be disabled. We are adopting Github actions" + +helm_chart_source_dir := deploy/charts/venafi-kubernetes-agent +BINDIR := $(ROOT_DIR)/_bin + +.PHONY: generate-manifests +generate-manifests: ## Generates jetstack.io_venaficonnections.yaml. +generate-manifests: | $(NEEDS_GO) _bin/tools/yq + @echo "# DO NOT EDIT. Use 'make generate-manifests' to regenerate." >$(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml + go run ./make/connection_crd >>$(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml + + @echo "# DO NOT EDIT. Use 'make generate-manifests' to regenerate." >$(helm_chart_source_dir)/templates/venafi-connection-crd.without-validations.yaml + _bin/tools/yq 'del(.. | ."x-kubernetes-validations"?) | del(.metadata.creationTimestamp)' $(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml >>$(helm_chart_source_dir)/templates/venafi-connection-crd.without-validations.yaml + + @echo "# DO NOT EDIT. Use 'make generate-manifests' to regenerate." >$(helm_chart_source_dir)/templates/venafi-connection-crd.yaml + _bin/tools/yq 'del(.metadata.creationTimestamp)' $(helm_chart_source_dir)/crd_bases/jetstack.io_venaficonnections.yaml >> $(helm_chart_source_dir)/templates/venafi-connection-crd.yaml + +# This is a lesser version of what's in venafi-enhanced-issuer, and is very +# suboptimal. We will migrate to makefile-modules and klone soon, so I didn't +# want to work too hard on this. +YQ_linux_amd64_SHA256SUM=bd695a6513f1196aeda17b174a15e9c351843fb1cef5f9be0af170f2dd744f08 +YQ_darwin_amd64_SHA256SUM=b2ff70e295d02695b284755b2a41bd889cfb37454e1fa71abc3a6ec13b2676cf +YQ_darwin_arm64_SHA256SUM=e9fc15db977875de982e0174ba5dc2cf5ae4a644e18432a4262c96d4439b1686 +YQ_VERSION=v4.35.1 + +_bin/downloaded/tools/yq@$(YQ_VERSION)_%: + mkdir -p _bin/downloaded/tools + curl -L https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$* -o $@ + ./make/util/checkhash.sh $@ $(YQ_$*_SHA256SUM) + chmod +x $@ + +HOST_OS=$(shell uname | tr '[:upper:]' '[:lower:]') +HOST_ARCH=$(shell uname -m | sed 's/x86_64/amd64/') + +_bin/tools/yq: _bin/downloaded/tools/yq@$(YQ_VERSION)_$(HOST_OS)_$(HOST_ARCH) + @mkdir -p _bin/tools + @cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@) + +KUBEBUILDER_TOOLS_linux_amd64_SHA256SUM=f9699df7b021f71a1ab55329b36b48a798e6ae3a44d2132255fc7e46c6790d4d +KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=e1913674bacaa70c067e15649237e1f67d891ba53f367c0a50786b4a274ee047 +KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=0422632a2bbb0d4d14d7d8b0f05497a4d041c11d770a07b7a55c44bcc5e8ce66 +KUBEBUILDER_ASSETS_VERSION=1.27.1 + +_bin/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: _bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | _bin/downloaded/tools + ./make/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $< kubebuilder/bin/etcd > $@ && chmod 775 $@ + +_bin/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_%: _bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | _bin/downloaded/tools + ./make/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $< kubebuilder/bin/kube-apiserver > $@ && chmod 775 $@ + +_bin/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | _bin/downloaded/tools + curl -L https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$(KUBEBUILDER_ASSETS_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $@ + +_bin/downloaded/tools: + @mkdir -p $@ + +_bin/tools/etcd: _bin/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH) + @mkdir -p _bin/tools + @cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@) + +_bin/tools/kube-apiserver: _bin/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH) + @mkdir -p _bin/tools + @cd $(dir $@) && ln -sf $(patsubst _bin/%,../%,$<) $(notdir $@) + diff --git a/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml b/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml new file mode 100644 index 00000000..926cb418 --- /dev/null +++ b/deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml @@ -0,0 +1,1199 @@ +# DO NOT EDIT. Use 'make generate-manifests' to regenerate. +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: venaficonnections.jetstack.io +spec: + group: jetstack.io + names: + kind: VenafiConnection + listKind: VenafiConnectionList + plural: venaficonnections + shortNames: + - vc + singular: venaficonnection + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VenafiConnection is the Schema for the VenafiConnection API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + allowReferencesFrom: + description: |- + A namespace selector that specifies what namespaces this VenafiConnection + is allowed to be used from. + If not set/ null, the VenafiConnection can only be used within its namespace. + An empty selector ({}) matches all namespaces. + If set to a non-empty selector, the VenafiConnection can only be used from + namespaces that match the selector. This possibly excludes the namespace + the VenafiConnection is in. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tpp: + properties: + accessToken: + description: The list of steps to retrieve a TPP access token. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out by + venafi-connection-lib. + type: string + required: + - url + type: object + vaas: + description: 'Deprecated: The ''vaas'' field is deprecated use the + field called ''vcp'' instead.' + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi VCP instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: apiKey + or accessToken' + rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : + 0) == 1' + vcp: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and + will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault + instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate + with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate + with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) + ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) + ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) + ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi VCP instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: apiKey + or accessToken' + rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : + 0) == 1' + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: tpp or + vcp' + rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) + ? 1 : 0) == 1' + status: + properties: + conditions: + description: List of status conditions to indicate the status of a + VenafiConnection. + items: + description: ConnectionCondition contains condition information + for a VenafiConnection. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + lastUpdateTime: + description: lastUpdateTime is the time of the last update to + this condition + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + format: int64 + type: integer + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, + `Unknown`). + type: string + tokenValidUntil: + description: |- + The ValidUntil time of the token used to authenticate with the Venafi + Control Plane server. + format: date-time + type: string + type: + description: |- + Type of the condition, should be a combination of the unique name of the + operator and the type of condition. + eg. `VenafiEnhancedIssuerReady` + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml new file mode 100644 index 00000000..335dbf1c --- /dev/null +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml @@ -0,0 +1,1118 @@ +# DO NOT EDIT. Use 'make generate-manifests' to regenerate. +# DO NOT EDIT. Use 'make generate-manifests' to regenerate. +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: venaficonnections.jetstack.io +spec: + group: jetstack.io + names: + kind: VenafiConnection + listKind: VenafiConnectionList + plural: venaficonnections + shortNames: + - vc + singular: venaficonnection + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VenafiConnection is the Schema for the VenafiConnection API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + allowReferencesFrom: + description: |- + A namespace selector that specifies what namespaces this VenafiConnection + is allowed to be used from. + If not set/ null, the VenafiConnection can only be used within its namespace. + An empty selector ({}) matches all namespaces. + If set to a non-empty selector, the VenafiConnection can only be used from + namespaces that match the selector. This possibly excludes the namespace + the VenafiConnection is in. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tpp: + properties: + accessToken: + description: The list of steps to retrieve a TPP access token. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out by + venafi-connection-lib. + type: string + required: + - url + type: object + vaas: + description: 'Deprecated: The ''vaas'' field is deprecated use the field called ''vcp'' instead.' + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi VCP instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + vcp: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi VCP instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + type: object + status: + properties: + conditions: + description: List of status conditions to indicate the status of a VenafiConnection. + items: + description: ConnectionCondition contains condition information for a VenafiConnection. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + lastUpdateTime: + description: lastUpdateTime is the time of the last update to this condition + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + format: int64 + type: integer + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + tokenValidUntil: + description: |- + The ValidUntil time of the token used to authenticate with the Venafi + Control Plane server. + format: date-time + type: string + type: + description: |- + Type of the condition, should be a combination of the unique name of the + operator and the type of condition. + eg. `VenafiEnhancedIssuerReady` + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml new file mode 100644 index 00000000..6926ad6c --- /dev/null +++ b/deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml @@ -0,0 +1,1142 @@ +# DO NOT EDIT. Use 'make generate-manifests' to regenerate. +# DO NOT EDIT. Use 'make generate-manifests' to regenerate. +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: venaficonnections.jetstack.io +spec: + group: jetstack.io + names: + kind: VenafiConnection + listKind: VenafiConnectionList + plural: venaficonnections + shortNames: + - vc + singular: venaficonnection + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: VenafiConnection is the Schema for the VenafiConnection API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + allowReferencesFrom: + description: |- + A namespace selector that specifies what namespaces this VenafiConnection + is allowed to be used from. + If not set/ null, the VenafiConnection can only be used within its namespace. + An empty selector ({}) matches all namespaces. + If set to a non-empty selector, the VenafiConnection can only be used from + namespaces that match the selector. This possibly excludes the namespace + the VenafiConnection is in. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + tpp: + properties: + accessToken: + description: The list of steps to retrieve a TPP access token. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out by + venafi-connection-lib. + type: string + required: + - url + type: object + vaas: + description: 'Deprecated: The ''vaas'' field is deprecated use the field called ''vcp'' instead.' + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi VCP instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: apiKey or accessToken' + rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1' + vcp: + properties: + accessToken: + description: |- + The list of steps to retrieve the Access Token that will be used to connect + to VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + apiKey: + description: |- + The list of steps to retrieve the API key that will be used to connect to + VCP. + items: + properties: + hashicorpVaultLDAP: + description: |- + HashicorpVaultLDAP is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + ldapPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/ldap/static-cred/:role_name + or + /v1/ldap/creds/:role_name + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - ldapPath + type: object + hashicorpVaultOAuth: + description: |- + HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource + step to provide an OAuth token, which this step uses to authenticate to + Vault. The output of this step is a Vault token. This step allows you to use + the step `HashicorpVaultSecret` afterwards. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with HashiCorp Vault. The only supported value is "OIDC". + enum: + - OIDC + type: string + authPath: + description: |- + The login URL used for obtaining the Vault token. Example: + /v1/auth/oidc/login + type: string + clientId: + description: 'DEPRECATED: This field does nothing and will be removed in the future.' + type: string + role: + description: |- + The role defined in Vault that we want to use when authenticating to + Vault. + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - authInputType + - authPath + - role + type: object + hashicorpVaultSecret: + description: |- + HashicorpVaultSecret is a SecretSource step that requires a Vault token in + the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It + then fetches the requested secrets from Vault for use in the next step. + properties: + fields: + description: |- + The fields are Vault keys pointing to the secrets passed to the next + SecretSource step. + + + Example 1 (TPP, username and password): imagining that you have stored + the username and password for TPP under the keys "username" and + "password", you will want to set this field to `["username", + "password"]`. The username is expected to be given first, the password + second. + items: + type: string + type: array + secretPath: + description: |- + The full HTTP path to the secret in Vault. Example: + /v1/secret/data/application-team-a/tpp-username-password + type: string + url: + description: The URL to connect to your HashiCorp Vault instance. + type: string + required: + - fields + - secretPath + type: object + secret: + description: |- + Secret is a SecretSource step meant to be the first step. It retrieves secret + values from a Kubernetes Secret, and passes them to the next step. + properties: + fields: + description: |- + The names of the fields we want to extract from the Kubernetes secret. + These fields are passed to the next step in the chain. + items: + type: string + type: array + name: + description: The name of the Kubernetes secret. + type: string + required: + - fields + - name + type: object + serviceAccountToken: + description: |- + ServiceAccountToken is a SecretSource step meant to be the first step. It + uses the Kubernetes TokenRequest API to retrieve a token for a given service + account, and passes it to the next step. + properties: + audiences: + description: |- + Audiences are the intendend audiences of the token. A recipient of a + token must identify themself with an identifier in the list of + audiences of the token, and otherwise should reject the token. A + token issued for multiple audiences may be used to authenticate + against any of the audiences listed but implies a high degree of + trust between the target audiences. + items: + type: string + type: array + expirationSeconds: + description: |- + ExpirationSeconds is the requested duration of validity of the request. The + token issuer may return a token with a different validity duration so a + client needs to check the 'expiration' field in a response. + format: int64 + type: integer + name: + description: The name of the Kubernetes service account. + type: string + required: + - audiences + - name + type: object + tppOAuth: + description: |- + TPPOAuth is a SecretSource step that authenticates to a TPP server. This + step is meant to be the last step and requires a prior step that depends + on the `authInputType`. + properties: + authInputType: + description: |- + AuthInputType is the authentication method to be used to authenticate + with TPP. The supported values are "UsernamePassword" and "JWT". + enum: + - UsernamePassword + - JWT + type: string + clientId: + default: cert-manager.io + description: ClientID is the clientId used to authenticate with TPP. + type: string + url: + description: |- + The URL to connect to the Venafi TPP instance. The two URLs + https://tpp.example.com and https://tpp.example.com/vedsdk are + equivalent. The ending `/vedsdk` is optional and is stripped out + by our client. + If not set, defaults to the URL defined at the top-level of the + TPP configuration. + type: string + required: + - authInputType + type: object + vcpOAuth: + description: |- + VCPOAuth is a SecretSource step that authenticates to the Venafi Control + Plane. This step is meant to be the last step and requires a prior step + that outputs a JWT token. + properties: + tenantID: + description: TenantID is the tenant ID used to authenticate with VCP. + type: string + type: object + type: object + x-kubernetes-validations: + - message: must have exactly one field set + rule: '(has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken) ? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret) ? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth) ? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0) == 1' + maxItems: 50 + type: array + x-kubernetes-list-type: atomic + url: + description: |- + The URL to connect to the Venafi VCP instance. If not set, the default + value https://api.venafi.cloud is used. + type: string + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: apiKey or accessToken' + rule: '(has(self.apiKey) ? 1 : 0) + (has(self.accessToken) ? 1 : 0) == 1' + type: object + x-kubernetes-validations: + - message: 'must have exactly ONE of the following fields set: tpp or vcp' + rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp) ? 1 : 0) == 1' + status: + properties: + conditions: + description: List of status conditions to indicate the status of a VenafiConnection. + items: + description: ConnectionCondition contains condition information for a VenafiConnection. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the timestamp corresponding to the last status + change of this condition. + format: date-time + type: string + lastUpdateTime: + description: lastUpdateTime is the time of the last update to this condition + format: date-time + type: string + message: + description: |- + Message is a human readable description of the details of the last + transition, complementing reason. + type: string + observedGeneration: + description: |- + If set, this represents the .metadata.generation that the condition was + set based upon. + For instance, if .metadata.generation is currently 12, but the + .status.condition[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the Issuer. + format: int64 + type: integer + reason: + description: |- + Reason is a brief machine readable explanation for the condition's last + transition. + type: string + status: + description: Status of the condition, one of (`True`, `False`, `Unknown`). + type: string + tokenValidUntil: + description: |- + The ValidUntil time of the token used to authenticate with the Venafi + Control Plane server. + format: date-time + type: string + type: + description: |- + Type of the condition, should be a combination of the unique name of the + operator and the type of condition. + eg. `VenafiEnhancedIssuerReady` + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/make/connection_crd/main.go b/make/connection_crd/main.go new file mode 100644 index 00000000..1cfc5c9e --- /dev/null +++ b/make/connection_crd/main.go @@ -0,0 +1,13 @@ +package main + +import ( + "fmt" + + crd "github.com/jetstack/venafi-connection-lib/config/crd/bases" +) + +// With this tool, we no longer have to use something like `helm template` to +// pull the CRD manifest from the venafi-connection-lib project. +func main() { + fmt.Print(string(crd.VenafiConnectionCrd)) +} diff --git a/make/tools.mk b/make/tools.mk new file mode 100644 index 00000000..3cf5ee48 --- /dev/null +++ b/make/tools.mk @@ -0,0 +1,451 @@ +BINDIR=_bin + +# To make sure we use the right version of each tool, we put symlink in +# $(BINDIR)/tools, and the actual binaries are in $(BINDIR)/downloaded. When bumping +# the version of the tools, this symlink gets updated. + +# Let's have $(BINDIR)/tools in front of the PATH so that we don't inavertedly +# pick up the wrong binary somewhere. Watch out, $(shell echo $$PATH) will +# still print the original PATH, since GNU make does not honor exported +# variables: https://stackoverflow.com/questions/54726457 +export PATH := $(PWD)/$(BINDIR)/tools:$(PATH) + +CTR=docker + +TOOLS := +# https://github.com/helm/helm/releases +TOOLS += helm=v3.12.3 +# https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl +TOOLS += kubectl=v1.27.4 +# https://github.com/kubernetes-sigs/kind/releases +TOOLS += kind=v0.20.0 +# https://www.vaultproject.io/downloads +TOOLS += vault=1.14.1 +# https://github.com/Azure/azure-workload-identity/releases +TOOLS += azwi=v1.1.0 +# https://github.com/kyverno/kyverno/releases +TOOLS += kyverno=v1.10.3 +# https://github.com/mikefarah/yq/releases +TOOLS += yq=v4.35.1 +# https://github.com/ko-build/ko/releases +TOOLS += ko=0.14.1 +# https://github.com/protocolbuffers/protobuf/releases +TOOLS += protoc=24.0 + +### go packages +# https://pkg.go.dev/sigs.k8s.io/controller-tools/cmd/controller-gen?tab=versions +TOOLS += controller-gen=v0.14.0 +# https://pkg.go.dev/golang.org/x/tools/cmd/goimports?tab=versions +TOOLS += goimports=v0.12.0 +# https://pkg.go.dev/github.com/google/go-licenses/licenses?tab=versions +TOOLS += go-licenses=v1.6.0 +# https://pkg.go.dev/gotest.tools/gotestsum?tab=versions +TOOLS += gotestsum=v1.10.1 +# https://pkg.go.dev/sigs.k8s.io/kustomize/kustomize/v4?tab=versions +TOOLS += kustomize=v4.5.7 +# https://pkg.go.dev/github.com/itchyny/gojq?tab=versions +TOOLS += gojq=v0.12.13 +# https://pkg.go.dev/github.com/google/go-containerregistry/pkg/crane?tab=versions +TOOLS += crane=v0.16.1 +# https://pkg.go.dev/google.golang.org/protobuf/cmd/protoc-gen-go?tab=versions +TOOLS += protoc-gen-go=v1.31.0 +# https://github.com/cert-manager/helm-tool +TOOLS += helm-tool=v0.4.2 +# https://github.com/fybrik/crdoc +TOOLS += crdoc=v0.6.3 + +# https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions +K8S_CODEGEN_VERSION=v0.28.2 + +# https://github.com/kubernetes-sigs/kubebuilder/blob/tools-releases/build/cloudbuild_tools.yaml +KUBEBUILDER_ASSETS_VERSION=1.27.1 +TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION) +TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION) + +# https://go.dev/dl/ +VENDORED_GO_VERSION := 1.21.3 + +# When switching branches which use different versions of the tools, we +# need a way to re-trigger the symlinking from $(BINDIR)/downloaded to $(BINDIR)/tools. +$(BINDIR)/scratch/%_VERSION: FORCE | $(BINDIR)/scratch + @test "$($*_VERSION)" == "$(shell cat $@ 2>/dev/null)" || echo $($*_VERSION) > $@ + +# The reason we don't use "go env GOOS" or "go env GOARCH" is that the "go" +# binary may not be available in the PATH yet when the Makefiles are +# evaluated. HOST_OS and HOST_ARCH only support Linux, *BSD and macOS (M1 +# and Intel). +HOST_OS ?= $(shell uname -s | tr A-Z a-z) +HOST_ARCH ?= $(shell uname -m) +ifeq (x86_64, $(HOST_ARCH)) + HOST_ARCH = amd64 +endif + +# --silent = don't print output like progress meters +# --show-error = but do print errors when they happen +# --fail = exit with a nonzero error code without the response from the server when there's an HTTP error +# --location = follow redirects from the server +# --retry = the number of times to retry a failed attempt to connect +# --retry-connrefused = retry even if the initial connection was refused +CURL = curl --silent --show-error --fail --location --retry 10 --retry-connrefused + +# In Prow, the pod has the folder "$(BINDIR)/downloaded" mounted into the +# container. For some reason, even though the permissions are correct, +# binaries that are mounted with hostPath can't be executed. When in CI, we +# copy the binaries to work around that. Using $(LN) is only required when +# dealing with binaries. Other files and folders can be symlinked. +# +# Details on how "$(BINDIR)/downloaded" gets cached are available in the +# description of the PR https://github.com/jetstack/testing/pull/651. +# +# We use "printenv CI" instead of just "ifeq ($(CI),)" because otherwise we +# would get "warning: undefined variable 'CI'". +ifeq ($(shell printenv CI),) +LN := ln -f -s +else +LN := cp -f -r +endif + +UC = $(shell echo '$1' | tr a-z A-Z) +LC = $(shell echo '$1' | tr A-Z a-z) + +TOOL_NAMES := + +# for each item `xxx` in the TOOLS variable: +# - a $(XXX_VERSION) variable is generated +# -> this variable contains the version of the tool +# - a $(NEEDS_XXX) variable is generated +# -> this variable contains the target name for the tool, +# which is the relative path of the binary, this target +# should be used when adding the tool as a dependency to +# your target, you can't use $(XXX) as a dependency because +# make does not support an absolute path as a dependency +# - a $(XXX) variable is generated +# -> this variable contains the absolute path of the binary, +# the absolute path should be used when executing the binary +# in targets or in scripts, because it is agnostic to the +# working directory +# - an unversioned target $(BINDIR)/tools/xxx is generated that +# creates a copy/ link to the corresponding versioned target: +# $(BINDIR)/tools/xxx@$(XXX_VERSION)_$(HOST_OS)_$(HOST_ARCH) +define tool_defs +TOOL_NAMES += $1 + +$(call UC,$1)_VERSION ?= $2 +NEEDS_$(call UC,$1) := $$(BINDIR)/tools/$1 +$(call UC,$1) := $$(PWD)/$$(BINDIR)/tools/$1 + +$$(BINDIR)/tools/$1: $$(BINDIR)/scratch/$(call UC,$1)_VERSION | $$(BINDIR)/downloaded/tools/$1@$$($(call UC,$1)_VERSION)_$$(HOST_OS)_$$(HOST_ARCH) $$(BINDIR)/tools + cd $$(dir $$@) && $$(LN) $$(patsubst $$(BINDIR)/%,../%,$$(word 1,$$|)) $$(notdir $$@) + @touch $$@ # making sure the target of the symlink is newer than *_VERSION +endef + +$(foreach TOOL,$(TOOLS),$(eval $(call tool_defs,$(word 1,$(subst =, ,$(TOOL))),$(word 2,$(subst =, ,$(TOOL)))))) + +TOOLS_PATHS := $(TOOL_NAMES:%=$(BINDIR)/tools/%) + +###### +# Go # +###### + +# $(NEEDS_GO) is a target that is set as an order-only prerequisite in +# any target that calls $(GO), e.g.: +# +# $(BINDIR)/tools/crane: $(NEEDS_GO) +# $(GO) build -o $(BINDIR)/tools/crane +# +# $(NEEDS_GO) is empty most of the time, except when running "make vendor-go" +# or when "make vendor-go" was previously run, in which case $(NEEDS_GO) is set +# to $(BINDIR)/tools/go, since $(BINDIR)/tools/go is a prerequisite of +# any target depending on Go when "make vendor-go" was run. +NEEDS_GO := $(if $(findstring vendor-go,$(MAKECMDGOALS))$(shell [ -f $(BINDIR)/tools/go ] && echo yes), $(BINDIR)/tools/go,) +ifeq ($(NEEDS_GO),) +GO := go +else +export GOROOT := $(PWD)/$(BINDIR)/tools/goroot +export PATH := $(PWD)/$(BINDIR)/tools/goroot/bin:$(PATH) +GO := $(PWD)/$(BINDIR)/tools/go +endif + +GOBUILD := CGO_ENABLED=$(CGO_ENABLED) GOMAXPROCS=$(GOBUILDPROCS) $(GO) build +GOTEST := CGO_ENABLED=$(CGO_ENABLED) $(GO) test + +# overwrite $(GOTESTSUM) and add CGO_ENABLED variable +GOTESTSUM := CGO_ENABLED=$(CGO_ENABLED) $(GOTESTSUM) + +.PHONY: vendor-go +## By default, this Makefile uses the system's Go. You can use a "vendored" +## version of Go that will get downloaded by running this command once. To +## disable vendoring, run "make unvendor-go". When vendoring is enabled, +## you will want to set the following: +## +## export PATH="$PWD/$(BINDIR)/tools:$PATH" +## export GOROOT="$PWD/$(BINDIR)/tools/goroot" +vendor-go: $(BINDIR)/tools/go + +.PHONY: unvendor-go +unvendor-go: $(BINDIR)/tools/go + rm -rf $(BINDIR)/tools/go $(BINDIR)/tools/goroot + +.PHONY: which-go +## Print the version and path of go which will be used for building and +## testing in Makefile commands. Vendored go will have a path in ./bin +which-go: | $(NEEDS_GO) + @$(GO) version + @echo "go binary used for above version information: $(GO)" + +# The "_" in "_go "prevents "go mod tidy" from trying to tidy the vendored +# goroot. +$(BINDIR)/tools/go: $(BINDIR)/downloaded/tools/_go-$(VENDORED_GO_VERSION)-$(HOST_OS)-$(HOST_ARCH)/goroot/bin/go $(BINDIR)/tools/goroot $(BINDIR)/scratch/VENDORED_GO_VERSION | $(BINDIR)/tools + cd $(dir $@) && $(LN) $(patsubst $(BINDIR)/%,../%,$<) . + @touch $@ # making sure the target of the symlink is newer than *_VERSION + +$(BINDIR)/tools/goroot: $(BINDIR)/downloaded/tools/_go-$(VENDORED_GO_VERSION)-$(HOST_OS)-$(HOST_ARCH)/goroot $(BINDIR)/scratch/VENDORED_GO_VERSION | $(BINDIR)/tools + @rm -rf $(BINDIR)/tools/goroot + cd $(dir $@) && $(LN) $(patsubst $(BINDIR)/%,../%,$<) . + @touch $@ # making sure the target of the symlink is newer than *_VERSION + +$(BINDIR)/downloaded/tools/_go-$(VENDORED_GO_VERSION)-%/goroot $(BINDIR)/downloaded/tools/_go-$(VENDORED_GO_VERSION)-%/goroot/bin/go: $(BINDIR)/downloaded/tools/go-$(VENDORED_GO_VERSION)-%.tar.gz + @mkdir -p $(dir $@) + rm -rf $(BINDIR)/downloaded/tools/_go-$(VENDORED_GO_VERSION)-$*/goroot + tar xzf $< -C $(BINDIR)/downloaded/tools/_go-$(VENDORED_GO_VERSION)-$* + mv $(BINDIR)/downloaded/tools/_go-$(VENDORED_GO_VERSION)-$*/go $(BINDIR)/downloaded/tools/_go-$(VENDORED_GO_VERSION)-$*/goroot + +$(BINDIR)/downloaded/tools/go-$(VENDORED_GO_VERSION)-%.tar.gz: | $(BINDIR)/downloaded/tools + $(CURL) https://go.dev/dl/go$(VENDORED_GO_VERSION).$*.tar.gz -o $@ + +################### +# go dependencies # +################### + +GO_DEPENDENCIES := +GO_DEPENDENCIES += controller-gen=sigs.k8s.io/controller-tools/cmd/controller-gen +GO_DEPENDENCIES += goimports=golang.org/x/tools/cmd/goimports +GO_DEPENDENCIES += go-licenses=github.com/google/go-licenses +GO_DEPENDENCIES += gotestsum=gotest.tools/gotestsum +GO_DEPENDENCIES += kustomize=sigs.k8s.io/kustomize/kustomize/v4 +GO_DEPENDENCIES += gojq=github.com/itchyny/gojq/cmd/gojq +GO_DEPENDENCIES += crane=github.com/google/go-containerregistry/cmd/crane +GO_DEPENDENCIES += protoc-gen-go=google.golang.org/protobuf/cmd/protoc-gen-go +GO_DEPENDENCIES += helm-tool=github.com/cert-manager/helm-tool +GO_DEPENDENCIES += crdoc=fybrik.io/crdoc + +define go_dependency +$$(BINDIR)/downloaded/tools/$1@$($(call UC,$1)_VERSION)_%: | $$(NEEDS_GO) $$(BINDIR)/downloaded/tools + GOBIN=$$(PWD)/$$(dir $$@) $$(GO) install $2@$($(call UC,$1)_VERSION) + @mv $$(PWD)/$$(dir $$@)/$1 $$@ +endef + +$(foreach GO_DEPENDENCY,$(GO_DEPENDENCIES),$(eval $(call go_dependency,$(word 1,$(subst =, ,$(GO_DEPENDENCY))),$(word 2,$(subst =, ,$(GO_DEPENDENCY)))))) + +######## +# Helm # +######## + +HELM_linux_amd64_SHA256SUM=1b2313cd198d45eab00cc37c38f6b1ca0a948ba279c29e322bdf426d406129b5 +HELM_darwin_amd64_SHA256SUM=1bdbbeec5a12dd0c1cd4efd8948a156d33e1e2f51140e2a51e1e5e7b11b81d47 +HELM_darwin_arm64_SHA256SUM=240b0a7da9cae208000eff3d3fb95e0fa1f4903d95be62c3f276f7630b12dae1 + +$(BINDIR)/downloaded/tools/helm@$(HELM_VERSION)_%: | $(BINDIR)/downloaded/tools + $(CURL) https://get.helm.sh/helm-$(HELM_VERSION)-$(subst _,-,$*).tar.gz -o $@.tar.gz + ./make/util/checkhash.sh $@.tar.gz $(HELM_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $@.tar.gz $(subst _,-,$*)/helm > $@ + chmod +x $@ + rm -f $@.tar.gz + +########### +# kubectl # +########### + +KUBECTL_linux_amd64_SHA256SUM=4685bfcf732260f72fce58379e812e091557ef1dfc1bc8084226c7891dd6028f +KUBECTL_darwin_amd64_SHA256SUM=7963839cb85028adffcca41b36a05dc273ccd5f8afe4a551106d0654f5c5168b +KUBECTL_darwin_arm64_SHA256SUM=6abf3d4a2c43812b3ac4565713716f835e2da82b36c8dff0e05e803c68dbdf56 + +$(BINDIR)/downloaded/tools/kubectl@$(KUBECTL_VERSION)_%: | $(BINDIR)/downloaded/tools + $(CURL) https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/$(subst _,/,$*)/kubectl -o $@ + ./make/util/checkhash.sh $@ $(KUBECTL_$*_SHA256SUM) + chmod +x $@ + +######## +# kind # +######## + +KIND_linux_amd64_SHA256SUM=513a7213d6d3332dd9ef27c24dab35e5ef10a04fa27274fe1c14d8a246493ded +KIND_darwin_amd64_SHA256SUM=bffd8fb2006dc89fa0d1dde5ba6bf48caacb707e4df8551528f49145ebfeb7ad +KIND_darwin_arm64_SHA256SUM=8df041a5cae55471f3b039c3c9942226eb909821af63b5677fc80904caffaabf + +$(BINDIR)/downloaded/tools/kind@$(KIND_VERSION)_%: | $(BINDIR)/downloaded/tools $(BINDIR)/tools + $(CURL) -sSfL https://github.com/kubernetes-sigs/kind/releases/download/$(KIND_VERSION)/kind-$(subst _,-,$*) -o $@ + ./make/util/checkhash.sh $@ $(KIND_$*_SHA256SUM) + chmod +x $@ + +######### +# vault # +######### + +VAULT_linux_amd64_SHA256SUM=6031432dfc3de07f6523d206c44fc018aa969d94c8e9125a77340af359f57ea3 +VAULT_darwin_amd64_SHA256SUM=35422e5276957bcac4011fd16e39a99b068d746aae7ffb59448a3fc0dbf73b08 +VAULT_darwin_arm64_SHA256SUM=61201113883672a914282ca34cac659c5eba650aaa5e6cedbbc44fd5d0e31a45 + +$(BINDIR)/downloaded/tools/vault@$(VAULT_VERSION)_%: | $(BINDIR)/downloaded/tools + $(CURL) https://releases.hashicorp.com/vault/$(VAULT_VERSION)/vault_$(VAULT_VERSION)_$*.zip -o $@.zip + ./make/util/checkhash.sh $@.zip $(VAULT_$*_SHA256SUM) + unzip -qq -c $@.zip > $@ + chmod +x $@ + rm -f $@.zip + +######## +# azwi # +######## + +AZWI_linux_amd64_SHA256SUM=db91a0daf693909d82d5f7958bebdc8e8eb9c674f9b55acf73d8156eb2777c03 +AZWI_darwin_amd64_SHA256SUM=2fa7588a23231f7a47a34d94cc29406c8dedbfd9e3049cca40c2b3f698c5e7fd +AZWI_darwin_arm64_SHA256SUM=4a813f6b108ea1d735073788d89e186eff6291d3e00858f3b4d34db7d54fb14e + +$(BINDIR)/downloaded/tools/azwi@$(AZWI_VERSION)_%: | $(BINDIR)/downloaded/tools + $(CURL) https://github.com/Azure/azure-workload-identity/releases/download/$(AZWI_VERSION)/azwi-$(AZWI_VERSION)-$(subst _,-,$*).tar.gz -o $@.tar.gz + ./make/util/checkhash.sh $@.tar.gz $(AZWI_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $@.tar.gz azwi > $@ && chmod 775 $@ + rm -f $@.tar.gz + +##################### +# k8s codegen tools # +##################### + +K8S_CODEGEN_TOOLS := applyconfiguration-gen openapi-gen +K8S_CODEGEN_TOOLS_PATHS := $(K8S_CODEGEN_TOOLS:%=$(BINDIR)/tools/%) +K8S_CODEGEN_TOOLS_DOWNLOADS := $(K8S_CODEGEN_TOOLS:%=$(BINDIR)/downloaded/tools/%@$(K8S_CODEGEN_VERSION)) + +k8s-codegen-tools: $(K8S_CODEGEN_TOOLS_PATHS) + +$(K8S_CODEGEN_TOOLS_PATHS): $(BINDIR)/tools/%-gen: $(BINDIR)/scratch/K8S_CODEGEN_VERSION | $(BINDIR)/downloaded/tools/%-gen@$(K8S_CODEGEN_VERSION) $(BINDIR)/tools + cd $(dir $@) && $(LN) $(patsubst $(BINDIR)/%,../%,$(word 1,$|)) $(notdir $@) + @touch $@ # making sure the target of the symlink is newer than *_VERSION + +$(K8S_CODEGEN_TOOLS_DOWNLOADS): $(BINDIR)/downloaded/tools/%-gen@$(K8S_CODEGEN_VERSION): $(NEEDS_GO) | $(BINDIR)/downloaded/tools + GOBIN=$(PWD)/$(dir $@) $(GO) install k8s.io/code-generator/cmd/$(notdir $@) + @mv $(subst @$(K8S_CODEGEN_VERSION),,$@) $@ + +############################ +# kubebuilder-tools assets # +# kube-apiserver / etcd # +############################ + +KUBEBUILDER_TOOLS_linux_amd64_SHA256SUM=f9699df7b021f71a1ab55329b36b48a798e6ae3a44d2132255fc7e46c6790d4d +KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=e1913674bacaa70c067e15649237e1f67d891ba53f367c0a50786b4a274ee047 +KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=0422632a2bbb0d4d14d7d8b0f05497a4d041c11d770a07b7a55c44bcc5e8ce66 + +$(BINDIR)/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: $(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(BINDIR)/downloaded/tools + ./make/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $< kubebuilder/bin/etcd > $@ && chmod 775 $@ + +$(BINDIR)/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_%: $(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(BINDIR)/downloaded/tools + ./make/util/checkhash.sh $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $< kubebuilder/bin/kube-apiserver > $@ && chmod 775 $@ + +$(BINDIR)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(BINDIR)/downloaded/tools + $(CURL) https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$(KUBEBUILDER_ASSETS_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $@ + +########### +# kyverno # +########### + +KYVERNO_linux_amd64_SHA256SUM=6b18e6173b57e0e759aa5eb8a5fb942bfcd3874f2712442478f162dea291f962 +KYVERNO_darwin_amd64_SHA256SUM=1953908809907aac2e91522e8a49f7148e7ac24d2527af8455e687c762c2ef31 +KYVERNO_darwin_arm64_SHA256SUM=9025fa0b8aa7ba76e0b1edd10842cc0a9c47c8258d61ea65dce4ab861f368707 + +$(BINDIR)/downloaded/tools/kyverno@$(KYVERNO_VERSION)_%: | $(BINDIR)/downloaded/tools + $(CURL) https://github.com/kyverno/kyverno/releases/download/$(KYVERNO_VERSION)/kyverno-cli_$(KYVERNO_VERSION)_$(subst amd64,x86_64,$*).tar.gz -fsSL -o $@.tar.gz + ./make/util/checkhash.sh $@.tar.gz $(KYVERNO_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $@.tar.gz kyverno > $@ + chmod +x $@ + rm -f $@.tar.gz + +###### +# yq # +###### + +YQ_linux_amd64_SHA256SUM=bd695a6513f1196aeda17b174a15e9c351843fb1cef5f9be0af170f2dd744f08 +YQ_darwin_amd64_SHA256SUM=b2ff70e295d02695b284755b2a41bd889cfb37454e1fa71abc3a6ec13b2676cf +YQ_darwin_arm64_SHA256SUM=e9fc15db977875de982e0174ba5dc2cf5ae4a644e18432a4262c96d4439b1686 + +$(BINDIR)/downloaded/tools/yq@$(YQ_VERSION)_%: | $(BINDIR)/downloaded/tools + $(CURL) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$* -o $@ + ./make/util/checkhash.sh $@ $(YQ_$*_SHA256SUM) + chmod +x $@ + +###### +# ko # +###### + +KO_linux_amd64_SHA256SUM=3f8f8e3fb4b78a4dfc0708df2b58f202c595a66c34195786f9a279ea991f4eae +KO_darwin_amd64_SHA256SUM=b879ea58255c9f2be2d4d6c4f6bd18209c78e9e0b890dbce621954ee0d63c4e5 +KO_darwin_arm64_SHA256SUM=8d41c228da3e04e3de293f0f5bfe1775a4c74582ba21c86ad32244967095189f + +$(BINDIR)/downloaded/tools/ko@$(KO_VERSION)_%: | $(BINDIR)/downloaded/tools + $(CURL) https://github.com/ko-build/ko/releases/download/v$(KO_VERSION)/ko_$(KO_VERSION)_$(subst linux,Linux,$(subst darwin,Darwin,$(subst amd64,x86_64,$*))).tar.gz -o $@.tar.gz + ./make/util/checkhash.sh $@.tar.gz $(KO_$*_SHA256SUM) + tar xfO $@.tar.gz ko > $@ + chmod +x $@ + rm -f $@.tar.gz + +########## +# protoc # +########## + +PROTOC_linux_amd64_SHA256SUM=4feef12d91c4e452eac8c45bd11f43d51541db7fc6c18b4ca7bdd38af52c9d15 +PROTOC_darwin_amd64_SHA256SUM=c438ae68427aa848f4e2dbf7d6cbd4e6a13e30a6bcc61007fd95cfc90451264a +PROTOC_darwin_arm64_SHA256SUM=e4cc0739f0f8ae31633fb11335f11e6fbe067ecda8fd1b4716e80cfe3661ee1d + +$(BINDIR)/downloaded/tools/protoc@$(PROTOC_VERSION)_%: | $(BINDIR)/downloaded/tools + $(CURL) https://github.com/protocolbuffers/protobuf/releases/download/v$(PROTOC_VERSION)/protoc-$(PROTOC_VERSION)-$(subst darwin,osx,$(subst arm64,aarch_64,$(subst amd64,x86_64,$(subst _,-,$*)))).zip -o $@.zip + ./make/util/checkhash.sh $@.zip $(PROTOC_$*_SHA256SUM) + unzip -qq -c $@.zip bin/protoc > $@ + chmod +x $@ + rm -f $@.zip + +################# +# Other Targets # +################# + +$(BINDIR) $(BINDIR)/scratch $(BINDIR)/tools $(BINDIR)/downloaded $(BINDIR)/downloaded/tools: + @mkdir -p $@ + +# Although we "vendor" most tools in $(BINDIR)/tools, we still require some binaries +# to be available on the system. The vendor-go MAKECMDGOALS trick prevents the +# check for the presence of Go when 'make vendor-go' is run. + +# Gotcha warning: MAKECMDGOALS only contains what the _top level_ make invocation used, and doesn't look at target dependencies +# i.e. if we have a target "abc: vendor-go test" and run "make abc", we'll get an error +# about go being missing even though abc itself depends on vendor-go! +# That means we need to pass vendor-go at the top level if go is not installed (i.e. "make vendor-go abc") + +MISSING=$(shell (command -v curl >/dev/null || echo curl) \ + && (command -v sha256sum >/dev/null || echo sha256sum) \ + && (command -v git >/dev/null || echo git) \ + && ([ -n "$(findstring vendor-go,$(MAKECMDGOALS),)" ] \ + || command -v $(GO) >/dev/null || echo "$(GO) (or run 'make vendor-go')") \ + && (command -v $(CTR) >/dev/null || echo "$(CTR) (or set CTR to a docker-compatible tool)")) +ifneq ($(MISSING),) +$(error Missing required tools: $(MISSING)) +endif + +# re-download all tools and replace the sha values if changed +# useful for determining the sha values after upgrading +learn-sha-tools: + rm -rf ./_bin/ + mkdir ./_bin/ + $(eval export LEARN_FILE=$(PWD)/_bin/learn_file) + echo -n "" > "$(LEARN_FILE)" + + HOST_OS=linux HOST_ARCH=amd64 $(MAKE) tools + HOST_OS=darwin HOST_ARCH=amd64 $(MAKE) tools + HOST_OS=darwin HOST_ARCH=arm64 $(MAKE) tools + + while read p; do \ + sed -i "$$p" ./make/tools.mk; \ + done <"$(LEARN_FILE)" diff --git a/make/util/checkhash.sh b/make/util/checkhash.sh new file mode 100755 index 00000000..3f1907b8 --- /dev/null +++ b/make/util/checkhash.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +set -eu -o pipefail + +# This script takes the hash of its first argument and verifies it against the +# hex hash given in its second argument + +SHASUM=$(./make/util/hash.sh "$1") + +# When running 'make learn-sha-tools', we don't want this script to fail. +# Instead we log what sha values are wrong, so the make.mk file can be updated. +if [ "$SHASUM" != "$2" ] && [ "${LEARN_FILE:-}" != "" ]; then + echo "s/$2/$SHASUM/g" >> "${LEARN_FILE:-}" + exit 0 +fi + +if [ "$SHASUM" != "$2" ]; then + echo "invalid checksum for \"$1\": wanted \"$2\" but got \"$SHASUM\"" + exit 1 +fi diff --git a/make/util/hash.sh b/make/util/hash.sh new file mode 100755 index 00000000..50364102 --- /dev/null +++ b/make/util/hash.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +set -eu -o pipefail + +# This script is a wrapper for outputting purely the sha256 hash of the input file, +# ideally in a portable way. + +sha256sum "$1" | cut -d" " -f1 diff --git a/make/util/verify.sh b/make/util/verify.sh new file mode 100755 index 00000000..8a9e3c19 --- /dev/null +++ b/make/util/verify.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# +# Verify that the supplied command does not make any changes to the repository. +# +# This is called from the Makefile to verify that all code generation scripts +# have been run and that their changes have been committed to the repository. +# +# Runs any of the scripts or Make targets in this repository, after making a +# copy of the repository, then reports any changes to the files in the copy. + +# For example: +# +# make verify-helm-chart-update || \ +# make helm-chart-update +# +set -o errexit +set -o nounset +set -o pipefail + +projectdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../.." && pwd )" + +cd "${projectdir}" + +# Use short form arguments here to support BSD/macOS. `-d` instructs +# it to make a directory, `-t` provides a prefix to use for the directory name. +tmp="$(mktemp -d /tmp/verify.sh.XXXXXXXX)" + +cleanup() { + rm -rf "${tmp}" +} +trap "cleanup" EXIT SIGINT + +cp -a "${projectdir}/." "${tmp}" +pushd "${tmp}" >/dev/null + +"$@" + +popd >/dev/null + +if ! diff \ + --exclude=".git" \ + --exclude="_bin" \ + --exclude="helm_jsonschema" \ + --new-file --unified --show-c-function --recursive "${projectdir}" "${tmp}" +then + echo + echo "Project '${projectdir}' is out of date." + echo "Please run '${*}'" + exit 1 +fi