Merge pull request #212 from negz/pro

Introduce a distinct ProviderConfig credentials field
crossplane · Oct 8, 2020 · 51c117e · 51c117e
2 parents b7c00ee + ab7ab7c
commit 51c117e
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 36 deletions.
diff --git a/apis/core/v1alpha1/resource.go b/apis/core/v1alpha1/resource.go
@@ -171,13 +171,45 @@ type ProviderSpec struct {
 	CredentialsSecretRef *SecretKeySelector `json:"credentialsSecretRef,omitempty"`
 }
 
-// A ProviderConfigSpec defines the common way to get to the necessary objects
-// to connect to the provider.
+// A ProviderConfigSpec defines the desired state of a provider config. A
+// provider config may embed this type in its spec in order to support standard
+// fields. Provider configs may choose to avoid embedding this type as
+// appropriate, but are encouraged to follow its conventions.
 type ProviderConfigSpec struct {
-	// CredentialsSecretRef references a specific secret's key that contains
-	// the credentials that are used to connect to the provider.
+	// Credentials required to authenticate to this provider.
+	Credentials ProviderCredentials `json:"credentials"`
+}
+
+// A CredentialsSource is a source from which provider credentials may be
+// acquired.
+type CredentialsSource string
+
+const (
+	// CredentialsSourceNone indicates that a provider does not require
+	// credentials.
+	CredentialsSourceNone CredentialsSource = "None"
+
+	// CredentialsSourceSecret indicates that a provider should acquire
+	// credentials from a secret.
+	CredentialsSourceSecret CredentialsSource = "Secret"
+
+	// CredentialsSourceInjectedIdentity indicates that a provider should use
+	// credentials via its (pod's) identity; i.e. via IRSA for AWS,
+	// Workload Identity for GCP, Pod Identity for Azure, or in-cluster
+	// authentication for the Kubernetes API.
+	CredentialsSourceInjectedIdentity CredentialsSource = "InjectedIdentity"
+)
+
+// ProviderCredentials required to authenticate.
+type ProviderCredentials struct {
+	// Source of the provider credentials.
+	// +kubebuilder:validation:Enum=None;Secret;InjectedIdentity
+	Source CredentialsSource `json:"source"`
+
+	// A CredentialsSecretRef is a reference to a secret key that contains the
+	// credentials that must be used to connect to the provider.
 	// +optional
-	CredentialsSecretRef *SecretKeySelector `json:"credentialsSecretRef,omitempty"`
+	SecretRef *SecretKeySelector `json:"secretRef,omitempty"`
 }
 
 // A ProviderConfigStatus defines the observed status of a ProviderConfig.

diff --git a/apis/core/v1alpha1/zz_generated.deepcopy.go b/apis/core/v1alpha1/zz_generated.deepcopy.go
diff --git a/build b/build
diff --git a/pkg/resource/fake/mocks.go b/pkg/resource/fake/mocks.go
@@ -145,20 +145,6 @@ func (m *Orphanable) SetDeletionPolicy(p v1alpha1.DeletionPolicy) { m.Policy = p
 // GetDeletionPolicy gets the DeletionPolicy.
 func (m *Orphanable) GetDeletionPolicy() v1alpha1.DeletionPolicy { return m.Policy }
 
-// CredentialsSecretReferencer is a mock that satisfies CredentialsSecretReferencer
-// interface.
-type CredentialsSecretReferencer struct{ Ref *v1alpha1.SecretKeySelector }
-
-// SetCredentialsSecretReference sets CredentialsSecretReference.
-func (m *CredentialsSecretReferencer) SetCredentialsSecretReference(r *v1alpha1.SecretKeySelector) {
-	m.Ref = r
-}
-
-// GetCredentialsSecretReference gets CredentialsSecretReference.
-func (m *CredentialsSecretReferencer) GetCredentialsSecretReference() *v1alpha1.SecretKeySelector {
-	return m.Ref
-}
-
 // CompositionReferencer is a mock that implements CompositionReferencer interface.
 type CompositionReferencer struct{ Ref *corev1.ObjectReference }
 
@@ -475,8 +461,6 @@ func (m *MockLocalConnectionSecretOwner) DeepCopyObject() runtime.Object {
 type ProviderConfig struct {
 	metav1.ObjectMeta
 
-	CredentialsSecretReferencer
-
 	UserCounter
 	v1alpha1.ConditionedStatus
 }

diff --git a/pkg/resource/interfaces.go b/pkg/resource/interfaces.go
@@ -65,13 +65,6 @@ type Orphanable interface {
 	GetDeletionPolicy() v1alpha1.DeletionPolicy
 }
 
-// A CredentialsSecretReferencer may refer to a credential secret in an arbitrary
-// namespace.
-type CredentialsSecretReferencer interface {
-	GetCredentialsSecretReference() *v1alpha1.SecretKeySelector
-	SetCredentialsSecretReference(r *v1alpha1.SecretKeySelector)
-}
-
 // A ProviderReferencer may reference a provider resource.
 type ProviderReferencer interface {
 	GetProviderReference() *v1alpha1.Reference
@@ -164,8 +157,6 @@ type ManagedList interface {
 type ProviderConfig interface {
 	Object
 
-	CredentialsSecretReferencer
-
 	UserCounter
 	Conditioned
 }