Skip to content

Commit e9b2515

Browse files
wallrj-cyberarkwallrj-cyberark
committed
make generate
- Introduce firefly connection type to CRD schemas - Add firefly accessToken retrieval steps and validation rules - Update controller-gen version annotation - Adjust validation to require one of tpp, vaas, vcp, or firefly - Update LICENSES for new and upgraded dependencies Signed-off-by: Richard Wall <[email protected]>
1 parent 2e5513e commit e9b2515

File tree

4 files changed

+597
-6
lines changed

4 files changed

+597
-6
lines changed

LICENSES

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,6 @@ github.com/google/btree,Apache-2.0
6565
github.com/google/cel-go,Apache-2.0
6666
github.com/google/cel-go,BSD-3-Clause
6767
github.com/google/gnostic-models,Apache-2.0
68-
github.com/google/go-cmp/cmp,BSD-3-Clause
6968
github.com/google/uuid,BSD-3-Clause
7069
github.com/gorilla/css/scanner,BSD-3-Clause
7170
github.com/gorilla/websocket,BSD-2-Clause
@@ -100,6 +99,8 @@ go.opentelemetry.io/otel,Apache-2.0
10099
go.opentelemetry.io/otel/trace,Apache-2.0
101100
go.uber.org/multierr,MIT
102101
go.uber.org/zap,MIT
102+
go.yaml.in/yaml/v2,Apache-2.0
103+
go.yaml.in/yaml/v3,MIT
103104
golang.org/x/crypto,BSD-3-Clause
104105
golang.org/x/exp,BSD-3-Clause
105106
golang.org/x/net,BSD-3-Clause
@@ -139,8 +140,7 @@ sigs.k8s.io/controller-runtime/pkg,Apache-2.0
139140
sigs.k8s.io/json,Apache-2.0
140141
sigs.k8s.io/json,BSD-3-Clause
141142
sigs.k8s.io/randfill,Apache-2.0
142-
sigs.k8s.io/structured-merge-diff/v4,Apache-2.0
143+
sigs.k8s.io/structured-merge-diff/v6,Apache-2.0
143144
sigs.k8s.io/yaml,MIT
144145
sigs.k8s.io/yaml,Apache-2.0
145146
sigs.k8s.io/yaml,BSD-3-Clause
146-
sigs.k8s.io/yaml/goyaml.v2,Apache-2.0

deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml

Lines changed: 206 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
44
kind: CustomResourceDefinition
55
metadata:
66
annotations:
7-
controller-gen.kubebuilder.io/version: v0.17.3
7+
controller-gen.kubebuilder.io/version: v0.18.0
88
name: venaficonnections.jetstack.io
99
spec:
1010
group: jetstack.io
@@ -94,6 +94,210 @@ spec:
9494
type: object
9595
type: object
9696
x-kubernetes-map-type: atomic
97+
firefly:
98+
properties:
99+
accessToken:
100+
description: |-
101+
The list of steps to retrieve the Access Token that will be used to connect
102+
to Firefly.
103+
items:
104+
properties:
105+
hashicorpVaultLDAP:
106+
description: |-
107+
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in
108+
the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It
109+
then fetches the requested secrets from Vault for use in the next step.
110+
properties:
111+
ldapPath:
112+
description: |-
113+
The full HTTP path to the secret in Vault. Example:
114+
/v1/ldap/static-cred/:role_name
115+
or
116+
/v1/ldap/creds/:role_name
117+
type: string
118+
url:
119+
description: The URL to connect to your HashiCorp Vault
120+
instance.
121+
type: string
122+
required:
123+
- ldapPath
124+
type: object
125+
hashicorpVaultOAuth:
126+
description: |-
127+
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource
128+
step to provide an OAuth token, which this step uses to authenticate to
129+
Vault. The output of this step is a Vault token. This step allows you to use
130+
the step `HashicorpVaultSecret` afterwards.
131+
properties:
132+
authInputType:
133+
description: |-
134+
AuthInputType is the authentication method to be used to authenticate
135+
with HashiCorp Vault. The only supported value is "OIDC".
136+
enum:
137+
- OIDC
138+
type: string
139+
authPath:
140+
description: |-
141+
The login URL used for obtaining the Vault token. Example:
142+
/v1/auth/oidc/login
143+
type: string
144+
clientId:
145+
description: 'Deprecated: This field does nothing and
146+
will be removed in the future.'
147+
type: string
148+
role:
149+
description: |-
150+
The role defined in Vault that we want to use when authenticating to
151+
Vault.
152+
type: string
153+
url:
154+
description: The URL to connect to your HashiCorp Vault
155+
instance.
156+
type: string
157+
required:
158+
- authInputType
159+
- authPath
160+
- role
161+
type: object
162+
hashicorpVaultSecret:
163+
description: |-
164+
HashicorpVaultSecret is a SecretSource step that requires a Vault token in
165+
the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It
166+
then fetches the requested secrets from Vault for use in the next step.
167+
properties:
168+
fields:
169+
description: |-
170+
The fields are Vault keys pointing to the secrets passed to the next
171+
SecretSource step.
172+
173+
Example 1 (TPP, username and password): imagining that you have stored
174+
the username and password for TPP under the keys "username" and
175+
"password", you will want to set this field to `["username",
176+
"password"]`. The username is expected to be given first, the password
177+
second.
178+
items:
179+
type: string
180+
type: array
181+
secretPath:
182+
description: |-
183+
The full HTTP path to the secret in Vault. Example:
184+
/v1/secret/data/application-team-a/tpp-username-password
185+
type: string
186+
url:
187+
description: The URL to connect to your HashiCorp Vault
188+
instance.
189+
type: string
190+
required:
191+
- fields
192+
- secretPath
193+
type: object
194+
secret:
195+
description: |-
196+
Secret is a SecretSource step meant to be the first step. It retrieves secret
197+
values from a Kubernetes Secret, and passes them to the next step.
198+
properties:
199+
fields:
200+
description: |-
201+
The names of the fields we want to extract from the Kubernetes secret.
202+
These fields are passed to the next step in the chain.
203+
items:
204+
type: string
205+
type: array
206+
name:
207+
description: The name of the Kubernetes secret.
208+
type: string
209+
required:
210+
- fields
211+
- name
212+
type: object
213+
serviceAccountToken:
214+
description: |-
215+
ServiceAccountToken is a SecretSource step meant to be the first step. It
216+
uses the Kubernetes TokenRequest API to retrieve a token for a given service
217+
account, and passes it to the next step.
218+
properties:
219+
audiences:
220+
description: |-
221+
Audiences are the intendend audiences of the token. A recipient of a
222+
token must identify themself with an identifier in the list of
223+
audiences of the token, and otherwise should reject the token. A
224+
token issued for multiple audiences may be used to authenticate
225+
against any of the audiences listed but implies a high degree of
226+
trust between the target audiences.
227+
items:
228+
type: string
229+
type: array
230+
expirationSeconds:
231+
description: |-
232+
ExpirationSeconds is the requested duration of validity of the request. The
233+
token issuer may return a token with a different validity duration so a
234+
client needs to check the 'expiration' field in a response.
235+
format: int64
236+
type: integer
237+
name:
238+
description: The name of the Kubernetes service account.
239+
type: string
240+
required:
241+
- audiences
242+
- name
243+
type: object
244+
tppOAuth:
245+
description: |-
246+
TPPOAuth is a SecretSource step that authenticates to a TPP server. This
247+
step is meant to be the last step and requires a prior step that depends
248+
on the `authInputType`.
249+
properties:
250+
authInputType:
251+
description: |-
252+
AuthInputType is the authentication method to be used to authenticate
253+
with TPP. The supported values are "UsernamePassword" and "JWT".
254+
enum:
255+
- UsernamePassword
256+
- JWT
257+
type: string
258+
clientId:
259+
description: ClientID is the clientId used to authenticate
260+
with TPP.
261+
type: string
262+
url:
263+
description: |-
264+
The URL to connect to the Venafi TPP instance. The two URLs
265+
https://tpp.example.com and https://tpp.example.com/vedsdk are
266+
equivalent. The ending `/vedsdk` is optional and is stripped out
267+
by our client.
268+
If not set, defaults to the URL defined at the top-level of the
269+
TPP configuration.
270+
type: string
271+
required:
272+
- authInputType
273+
type: object
274+
vcpOAuth:
275+
description: |-
276+
VCPOAuth is a SecretSource step that authenticates to the Venafi Control
277+
Plane. This step is meant to be the last step and requires a prior step
278+
that outputs a JWT token.
279+
properties:
280+
tenantID:
281+
description: TenantID is the tenant ID used to authenticate
282+
with VCP.
283+
type: string
284+
type: object
285+
type: object
286+
x-kubernetes-validations:
287+
- message: must have exactly one field set
288+
rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken)
289+
? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret)
290+
? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth)
291+
? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1'
292+
maxItems: 50
293+
type: array
294+
x-kubernetes-list-type: atomic
295+
url:
296+
description: The URL to connect to the Venafi Firefly instance.
297+
type: string
298+
required:
299+
- url
300+
type: object
97301
tpp:
98302
properties:
99303
accessToken:
@@ -1117,7 +1321,7 @@ spec:
11171321
- message: 'must have exactly ONE of the following fields set: tpp or
11181322
vcp'
11191323
rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp)
1120-
? 1 : 0) == 1'
1324+
? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1'
11211325
status:
11221326
properties:
11231327
conditions:

0 commit comments

Comments
 (0)