Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: KMP periodic retrieval with k8s requeue #1625

Merged
merged 13 commits into from
Aug 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/v1beta1/keymanagementproviders_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ type KeyManagementProviderSpec struct {
// Name of the key management provider
Type string `json:"type,omitempty"`

// Refresh interval for fetching the certificate/key files from the provider. Only for providers that are refreshable. The value is in the format of "1h30m" where "h" means hour and "m" means minute. Valid time units are units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// +kubebuilder:default=""
RefreshInterval string `json:"refreshInterval,omitempty"`

// +kubebuilder:pruning:PreserveUnknownFields
// Parameters of the key management provider
Parameters runtime.RawExtension `json:"parameters,omitempty"`
Expand Down
4 changes: 4 additions & 0 deletions api/v1beta1/namespacedkeymanagementprovider_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ type NamespacedKeyManagementProviderSpec struct {
// Name of the key management provider
Type string `json:"type,omitempty"`

// Refresh interval for the key management provider. Only used if the key management provider is refreshable. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
// +kubebuilder:default=""
RefreshInterval string `json:"refreshInterval,omitempty"`

// +kubebuilder:pruning:PreserveUnknownFields
// Parameters of the key management provider
Parameters runtime.RawExtension `json:"parameters,omitempty"`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,73 +14,87 @@ spec:
singular: keymanagementprovider
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .status.issuccess
name: IsSuccess
type: boolean
- jsonPath: .status.brieferror
name: Error
type: string
- jsonPath: .status.lastfetchedtime
name: LastFetchedTime
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: KeyManagementProvider is the Schema for the keymanagementproviders
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: KeyManagementProviderSpec defines the desired state of KeyManagementProvider
properties:
parameters:
description: Parameters of the key management provider
type: object
x-kubernetes-preserve-unknown-fields: true
type:
description: Name of the key management provider
type: string
type: object
status:
description: KeyManagementProviderStatus defines the observed state of
KeyManagementProvider
properties:
brieferror:
description: Truncated error message if the message is too long
type: string
error:
description: Error message if operation was unsuccessful
type: string
issuccess:
description: Is successful in loading certificate/key files
type: boolean
lastfetchedtime:
description: The time stamp of last successful certificate/key fetch
operation. If operation failed, last fetched time shows the time
of error
format: date-time
type: string
- additionalPrinterColumns:
- jsonPath: .status.issuccess
name: IsSuccess
type: boolean
- jsonPath: .status.brieferror
name: Error
type: string
- jsonPath: .status.lastfetchedtime
name: LastFetchedTime
type: date
name: v1beta1
schema:
openAPIV3Schema:
description:
KeyManagementProvider is the Schema for the keymanagementproviders
API
properties:
apiVersion:
description:
"APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
type: string
kind:
description:
"Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
type: string
metadata:
type: object
spec:
description: KeyManagementProviderSpec defines the desired state of KeyManagementProvider
properties:
description: provider specific properties of the each individual certificate/key
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- issuccess
type: object
type: object
served: true
storage: true
subresources:
status: {}
refreshInterval:
default: ""
susanshi marked this conversation as resolved.
Show resolved Hide resolved
description:
Refresh interval for fetching the certificate/key files
from the provider. Only for providers that are refreshable. The
value is in the format of "1h30m" where "h" means hour and "m" means
minute. Valid time units are units are "ns", "us" (or "µs"), "ms",
"s", "m", "h".
type: string
parameters:
description: Parameters of the key management provider
type: object
x-kubernetes-preserve-unknown-fields: true
type:
description: Name of the key management provider
type: string
type: object
status:
description:
KeyManagementProviderStatus defines the observed state of
KeyManagementProvider
properties:
brieferror:
description: Truncated error message if the message is too long
type: string
error:
description: Error message if operation was unsuccessful
type: string
issuccess:
description: Is successful in loading certificate/key files
type: boolean
lastfetchedtime:
description:
The time stamp of last successful certificate/key fetch
operation. If operation failed, last fetched time shows the time
of error
format: date-time
type: string
properties:
description: provider specific properties of the each individual certificate/key
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- issuccess
type: object
type: object
served: true
storage: true
subresources:
status: {}
Original file line number Diff line number Diff line change
Expand Up @@ -14,74 +14,89 @@ spec:
singular: namespacedkeymanagementprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.issuccess
name: IsSuccess
type: boolean
- jsonPath: .status.brieferror
name: Error
type: string
- jsonPath: .status.lastfetchedtime
name: LastFetchedTime
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: NamespacedKeyManagementProvider is the Schema for the namespacedkeymanagementproviders
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: NamespacedKeyManagementProviderSpec defines the desired state
of NamespacedKeyManagementProvider
properties:
parameters:
description: Parameters of the key management provider
type: object
x-kubernetes-preserve-unknown-fields: true
type:
description: Name of the key management provider
type: string
type: object
status:
description: NamespacedKeyManagementProviderStatus defines the observed
state of NamespacedKeyManagementProvider
properties:
brieferror:
description: Truncated error message if the message is too long
type: string
error:
description: Error message if operation was unsuccessful
type: string
issuccess:
description: Is successful in loading certificate/key files
type: boolean
lastfetchedtime:
description: The time stamp of last successful certificate/key fetch
operation. If operation failed, last fetched time shows the time
of error
format: date-time
type: string
- additionalPrinterColumns:
- jsonPath: .status.issuccess
name: IsSuccess
type: boolean
- jsonPath: .status.brieferror
name: Error
type: string
- jsonPath: .status.lastfetchedtime
name: LastFetchedTime
type: date
name: v1beta1
schema:
openAPIV3Schema:
description:
NamespacedKeyManagementProvider is the Schema for the namespacedkeymanagementproviders
API
properties:
apiVersion:
description:
"APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
type: string
kind:
description:
"Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
type: string
metadata:
type: object
spec:
description:
NamespacedKeyManagementProviderSpec defines the desired state
of NamespacedKeyManagementProvider
properties:
description: provider specific properties of the each individual certificate/key
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- issuccess
type: object
type: object
served: true
storage: true
subresources:
status: {}
refreshInterval:
default: ""
description:
Refresh interval for fetching the certificate/key files
from the provider. Only for providers that are refreshable. The
value is in the format of "1h30m" where "h" means hour and "m" means
minute. Valid time units are units are "ns", "us" (or "µs"), "ms",
"s", "m", "h".
type: string
parameters:
description: Parameters of the key management provider
type: object
x-kubernetes-preserve-unknown-fields: true
type:
description: Name of the key management provider
type: string
type: object
status:
description:
NamespacedKeyManagementProviderStatus defines the observed
state of NamespacedKeyManagementProvider
properties:
brieferror:
description: Truncated error message if the message is too long
type: string
error:
description: Error message if operation was unsuccessful
type: string
issuccess:
description: Is successful in loading certificate/key files
type: boolean
lastfetchedtime:
description:
The time stamp of last successful certificate/key fetch
operation. If operation failed, last fetched time shows the time
of error
format: date-time
type: string
properties:
description: provider specific properties of the each individual certificate/key
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- issuccess
type: object
type: object
served: true
storage: true
subresources:
status: {}
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,14 @@ spec:
description: Parameters of the key management provider
type: object
x-kubernetes-preserve-unknown-fields: true
refreshInterval:
default: ""
description: Refresh interval for fetching the certificate/key files
from the provider. Only for providers that are refreshable. The
value is in the format of "1h30m" where "h" means hour and "m" means
minute. Valid time units are units are "ns", "us" (or "µs"), "ms",
"s", "m", "h".
type: string
type:
description: Name of the key management provider
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,12 @@ spec:
description: Parameters of the key management provider
type: object
x-kubernetes-preserve-unknown-fields: true
refreshInterval:
default: ""
description: Refresh interval for the key management provider. Only
used if the key management provider is refreshable. Valid time units
are "ns", "us" (or "µs"), "ms", "s", "m", "h".
type: string
type:
description: Name of the key management provider
type: string
Expand Down
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider
metadata:
name: keymanagementprovider-inline
name: keymanagementprovider-akv
spec:
type: azurekeyvault
parameters:
vaultURI: https://yourkeyvault.vault.azure.net/
certificates:
- name: yourCertName
version: yourCertVersion # Optional, fetch latest version if empty
version: yourCertVersion # Optional, fetch latest version if empty
tenantID:
clientID:
clientID:
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: config.ratify.deislabs.io/v1beta1
kind: KeyManagementProvider
metadata:
name: keymanagementprovider-akv
spec:
type: azurekeyvault
refreshInterval: 1m
parameters:
vaultURI: https://yourkeyvault.vault.azure.net/
certificates:
- name: yourCertName
version: yourCertVersion # Optional, fetch latest version if empty
tenantID:
clientID:
Loading
Loading