Merge pull request #1133 from RafaySystems/RC-45007-fixes

Rc 45007 fixes

Author: rafay-phani

docs/index.md

@@ -112,11 +112,35 @@ provider "rafay" {
 The Rafay provider offers a flexible means of providing credentials for
 authentication. The following methods are supported, in this order, and
 explained below:
-
+- Direct Credentials in Provider Configuration
 - Environment variables
 - Credentials/configuration file
 
 
+### Direct Credentials in Provider Configuration
+
+You can provide credentials directly in the `rafay` provider block. This is the recommended approach when fetching credentials from a secret management tool like HashiCorp Vault.
+
+```terraform
+provider "rafay" {
+  api_key       = data.vault_kv_secret_v2.rafay.data.api_key
+  rest_endpoint = data.vault_kv_secret_v2.rafay.data.endpoint
+  project       = data.vault_kv_secret_v2.rafay.data.project
+}
+```
+
+Or with hardcoded values (not recommended for production):
+
+```terraform
+provider "rafay" {
+  api_key       = "ra2.xxxxxxxxxxxxx"
+  rest_endpoint = "console.rafay.dev"
+  project       = "defaultproject"
+}
+```
+
+This method takes precedence over environment variables and the configuration file.
+
 ### Environment Variables
 
 You can provide your credentials via the `RCTL_REST_ENDPOINT`, `RCTL_API_KEY`,
@@ -155,5 +179,10 @@ provider "rafay" {
 
 ### Optional
 
+- **api_key** (String, Sensitive) Rafay API key. Can also be set via the `RCTL_API_KEY` environment variable.
+- **ignore_insecure_tls_error** (Boolean) Skip TLS certificate verification.
+- **project** (String) Rafay project name. Can also be set via the `RCTL_PROJECT` environment variable.
+- **provider_config_file** (String) Path to Rafay configuration file. Defaults to `~/.rafay/cli/config.json`. Can also be set via the `RAFAY_PROVIDER_CONFIG` environment variable.
+- **rest_endpoint** (String) Rafay API endpoint (e.g., `console.rafay.dev`). Can also be set via the `RCTL_REST_ENDPOINT` environment variable.
 - **ignore_insecure_tls_error** (Boolean)
 - **provider_config_file** (String)

go.mod

@@ -6,8 +6,8 @@ toolchain go1.24.9
 
 require (
 	github.com/RafaySystems/edge-common v1.24.1-0.20240905053610-494a83a439f8
-	github.com/RafaySystems/rafay-common v1.29.1-rc2.0.20251031043157-2e9b455c9bfc
-	github.com/RafaySystems/rctl v1.29.1-0.20251009073106-3a01a70d5f7f
+	github.com/RafaySystems/rafay-common v1.29.1-rc2.0.20251103113511-05b1a32bbbc0
+	github.com/RafaySystems/rctl v1.29.1-0.20251105214534-501a9e6c91c1
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/go-yaml/yaml v2.1.0+incompatible
 	github.com/goccy/go-yaml v1.9.5

go.sum

@@ -22,10 +22,10 @@ github.com/RafaySystems/edge-common v1.24.1-0.20240905053610-494a83a439f8 h1:Pce
 github.com/RafaySystems/edge-common v1.24.1-0.20240905053610-494a83a439f8/go.mod h1:5mRn2xN25Y8mpObHyOwDB3OLudeuglzHTQX9IiNHxhM=
 github.com/RafaySystems/paas-common v0.0.0-20250519095800-e92646adcd6e h1:SrznY+xkaQ4BkX0HXGa0upur7RAtR6UsTsdMNEgBreY=
 github.com/RafaySystems/paas-common v0.0.0-20250519095800-e92646adcd6e/go.mod h1:vDR0S28Q+hwE/5wO0L/Ohn9CZwaI/o2QuPupJ2iLI7k=
-github.com/RafaySystems/rafay-common v1.29.1-rc2.0.20251031043157-2e9b455c9bfc h1:7hfknF6cW0o3Ecbkf86O1w4tm7XbewZYRwh92QgPniw=
-github.com/RafaySystems/rafay-common v1.29.1-rc2.0.20251031043157-2e9b455c9bfc/go.mod h1:NozE55WdAl4Td8+GMPxbRN/qI5tu8tkPBH/hj8aZqSE=
-github.com/RafaySystems/rctl v1.29.1-0.20251009073106-3a01a70d5f7f h1:D14avgXPoI7B3rRYwynLJiE3BxzgMVejIUl9SvcvWcE=
-github.com/RafaySystems/rctl v1.29.1-0.20251009073106-3a01a70d5f7f/go.mod h1:tn0SlvXgdHfrVBeoe4wCwmhW30+zw8b1efp9uSTKWPY=
+github.com/RafaySystems/rafay-common v1.29.1-rc2.0.20251103113511-05b1a32bbbc0 h1:8LKWepImU4h35JCxDZ17GGpuQ4oWJB8WY1D9IXMNl3o=
+github.com/RafaySystems/rafay-common v1.29.1-rc2.0.20251103113511-05b1a32bbbc0/go.mod h1:NozE55WdAl4Td8+GMPxbRN/qI5tu8tkPBH/hj8aZqSE=
+github.com/RafaySystems/rctl v1.29.1-0.20251105214534-501a9e6c91c1 h1:Ay0PO/aJuFD6VNvNESuPRRyKZS1itdKbdk3z1bBEr6A=
+github.com/RafaySystems/rctl v1.29.1-0.20251105214534-501a9e6c91c1/go.mod h1:wkUnTFcFBbgivx61WxuKG53dOwbWpdYakiGiRhqQV9U=
 github.com/RoaringBitmap/roaring v1.9.4 h1:yhEIoH4YezLYT04s1nHehNO64EKFTop/wBhxv2QzDdQ=
 github.com/RoaringBitmap/roaring v1.9.4/go.mod h1:6AXUsoIEzDTFFQCe1RbGA6uFONMhvejWj5rqITANK90=
 github.com/abhay-krishna/cluster-api v1.4.2-eksa.1 h1:mO+idOdh9Bpumgo41WJcrASPtJGSgmRxHNiwtUdUa+E=

internal/provider/provider.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"net/http"
+	"os"
 	"os/user"
 	"path/filepath"
 	"strings"
@@ -46,6 +47,9 @@ func New(version string) func() provider.Provider {
 type RafayFwProviderModel struct {
 	ProviderConfigFile     types.String        `tfsdk:"provider_config_file"`
 	IgnoreInsecureTlsError basetypes.BoolValue `tfsdk:"ignore_insecure_tls_error"`
+	ApiKey                 types.String        `tfsdk:"api_key"`
+	RestEndpoint           types.String        `tfsdk:"rest_endpoint"`
+	Project                types.String        `tfsdk:"project"`
 }
 
 func (p *RafayFwProvider) Schema(ctx context.Context, req provider.SchemaRequest, resp *provider.SchemaResponse) {
@@ -57,6 +61,19 @@ func (p *RafayFwProvider) Schema(ctx context.Context, req provider.SchemaRequest
 			"ignore_insecure_tls_error": schema.BoolAttribute{
 				Optional: true,
 			},
+			"api_key": schema.StringAttribute{
+				Description: "Rafay API key",
+				Optional:    true,
+				Sensitive:   true,
+			},
+			"rest_endpoint": schema.StringAttribute{
+				Description: "Rafay API endpoint",
+				Optional:    true,
+			},
+			"project": schema.StringAttribute{
+				Description: "Rafay project",
+				Optional:    true,
+			},
 		},
 	}
 
@@ -77,15 +94,29 @@ func (p *RafayFwProvider) Configure(ctx context.Context, req provider.ConfigureR
 		return
 	}
 
+	apiKey := data.ApiKey.ValueString()
+	restEndpoint := data.RestEndpoint.ValueString()
+	project := data.Project.ValueString()
+
+	cliCtx := rctlcontext.GetContext()
+	if apiKey != "" && restEndpoint != "" {
+		cliCtx.APIKey = apiKey
+		cliCtx.RestEndpoint = restEndpoint
+
+		// The project is handled by setting an environment variable, which rctl already supports.
+		if project != "" {
+			os.Setenv("RCTL_PROJECT", project)
+		}
+	}
+
 	configFile := data.ProviderConfigFile.ValueString()
 	ignoreTlsError := data.IgnoreInsecureTlsError
 
 	tflog.Info(ctx, "rafay provider config file", map[string]interface{}{
 		"config_file": configFile,
 	})
 
-	cliCtx := rctlcontext.GetContext()
-
+	
 	if configFile != "" {
 		var err error
 

rafay/provider.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"log"
 	"net/http"
+	"os"
 	"os/user"
 	"path/filepath"
 	"strings"
@@ -31,6 +32,25 @@ func New(_ string) func() *schema.Provider {
 					Type:     schema.TypeBool,
 					Optional: true,
 				},
+				"api_key": &schema.Schema{
+					Type:        schema.TypeString,
+					Description: "Rafay API key",
+					Optional:    true,
+					Sensitive:   true,
+					DefaultFunc: schema.EnvDefaultFunc("RCTL_API_KEY", nil),
+				},
+				"rest_endpoint": &schema.Schema{
+					Type:        schema.TypeString,
+					Description: "Rafay API endpoint",
+					Optional:    true,
+					DefaultFunc: schema.EnvDefaultFunc("RCTL_REST_ENDPOINT", nil),
+				},
+				"project": &schema.Schema{
+					Type:        schema.TypeString,
+					Description: "Rafay project",
+					Optional:    true,
+					DefaultFunc: schema.EnvDefaultFunc("RCTL_PROJECT", nil),
+				},
 			},
 			ResourcesMap: map[string]*schema.Resource{
 				"rafay_project":                       resourceProject(),
@@ -152,9 +172,22 @@ func providerConfigure(ctx context.Context, rd *schema.ResourceData) (interface{
 
 	config_file := rd.Get("provider_config_file").(string)
 	ignoreTlsError := rd.Get("ignore_insecure_tls_error").(bool)
+	apiKey := rd.Get("api_key").(string)
+	restEndpoint := rd.Get("rest_endpoint").(string)
+	project := rd.Get("project").(string)
 
 	log.Printf("rafay provider config file %s", config_file)
 	cliCtx := rctlcontext.GetContext()
+
+	// If direct credentials provided, use them (takes precedence)
+	if apiKey != "" && restEndpoint != "" {
+		cliCtx.APIKey = apiKey
+		cliCtx.RestEndpoint = restEndpoint
+		if project != "" {
+			os.Setenv("RCTL_PROJECT", project)
+		}
+	}
+	
 	if config_file != "" {
 		var err error