From 8d3f2de53d5ad5cf988db0c44913527c0f38e2a5 Mon Sep 17 00:00:00 2001 From: Nic Cope Date: Mon, 5 Oct 2020 17:31:22 -0700 Subject: [PATCH 1/4] Bump build submodule Signed-off-by: Nic Cope --- build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build b/build index 4f6491315..066208d58 160000 --- a/build +++ b/build @@ -1 +1 @@ -Subproject commit 4f64913157a952dbe77cd9e05457d9abe695a1d4 +Subproject commit 066208d58f0529e36048c76a4ac46c3afd2b06d1 From 407dc9fa431f2a902be84ab3ebc4ef403f8f4bd1 Mon Sep 17 00:00:00 2001 From: Nic Cope Date: Mon, 5 Oct 2020 19:11:19 -0700 Subject: [PATCH 2/4] Introduce a distinct ProviderConfig credentials field This field distinguishes credentials configuration from other (currently hypothetical) aspects of provider configuration. It also introduces a 'spec.credentials.source' field that can be used to determine which credentials source the provider intends to use. Signed-off-by: Nic Cope --- apis/core/v1alpha1/resource.go | 40 ++++++++++++++++++--- apis/core/v1alpha1/zz_generated.deepcopy.go | 26 +++++++++++--- pkg/resource/fake/mocks.go | 16 --------- pkg/resource/interfaces.go | 9 ----- 4 files changed, 56 insertions(+), 35 deletions(-) diff --git a/apis/core/v1alpha1/resource.go b/apis/core/v1alpha1/resource.go index 70bd8ca40..97edd7317 100644 --- a/apis/core/v1alpha1/resource.go +++ b/apis/core/v1alpha1/resource.go @@ -171,13 +171,43 @@ type ProviderSpec struct { CredentialsSecretRef *SecretKeySelector `json:"credentialsSecretRef,omitempty"` } -// A ProviderConfigSpec defines the common way to get to the necessary objects -// to connect to the provider. +// A ProviderConfigSpec defines the desired state of a provider config. A +// provider config may embed this type in its spec in order to support standard +// fields. Provider configs may choose to avoid embedding this type as +// appropriate, but are encouraged to follow its conventions. type ProviderConfigSpec struct { - // CredentialsSecretRef references a specific secret's key that contains - // the credentials that are used to connect to the provider. + // Credentials required to authenticate to this provider. + Credentials ProviderCredentials `json:"credentials"` +} + +// A CredentialsSource is a source from which provider credentials may be +// acquired. +type CredentialsSource string + +const ( + // CredentialsSourceNone indicates that a provider does not require + // credentials. + CredentialsSourceNone CredentialsSource = "None" + + // CredentialsSourceSecret indicates that a provider should acquire + // credentials from a secret. + CredentialsSourceSecret CredentialsSource = "Secret" + + // CredentialsSourceNative indicates that a provider should acquire + // credentials via its native environment; i.e. via IRSA for AWS, Workload + // Identity for GCP, Pod identity for Azure, or in-cluster authentication + // for the Kubernetes API. + CredentialsSourceNative CredentialsSource = "Native" +) + +// ProviderCredentials required to authenticate. +type ProviderCredentials struct { + Source CredentialsSource `json:"source"` + + // A CredentialsSecretRef is a reference to a secret key that contains the + // credentials that must be used to connect to the provider. // +optional - CredentialsSecretRef *SecretKeySelector `json:"credentialsSecretRef,omitempty"` + SecretRef *SecretKeySelector `json:"secretRef,omitempty"` } // A ProviderConfigStatus defines the observed status of a ProviderConfig. diff --git a/apis/core/v1alpha1/zz_generated.deepcopy.go b/apis/core/v1alpha1/zz_generated.deepcopy.go index c4c0137d0..6d862171f 100644 --- a/apis/core/v1alpha1/zz_generated.deepcopy.go +++ b/apis/core/v1alpha1/zz_generated.deepcopy.go @@ -80,11 +80,7 @@ func (in *LocalSecretReference) DeepCopy() *LocalSecretReference { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProviderConfigSpec) DeepCopyInto(out *ProviderConfigSpec) { *out = *in - if in.CredentialsSecretRef != nil { - in, out := &in.CredentialsSecretRef, &out.CredentialsSecretRef - *out = new(SecretKeySelector) - **out = **in - } + in.Credentials.DeepCopyInto(&out.Credentials) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigSpec. @@ -130,6 +126,26 @@ func (in *ProviderConfigUsage) DeepCopy() *ProviderConfigUsage { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderCredentials) DeepCopyInto(out *ProviderCredentials) { + *out = *in + if in.SecretRef != nil { + in, out := &in.SecretRef, &out.SecretRef + *out = new(SecretKeySelector) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderCredentials. +func (in *ProviderCredentials) DeepCopy() *ProviderCredentials { + if in == nil { + return nil + } + out := new(ProviderCredentials) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProviderSpec) DeepCopyInto(out *ProviderSpec) { *out = *in diff --git a/pkg/resource/fake/mocks.go b/pkg/resource/fake/mocks.go index a2273ff2c..61acdb591 100644 --- a/pkg/resource/fake/mocks.go +++ b/pkg/resource/fake/mocks.go @@ -145,20 +145,6 @@ func (m *Orphanable) SetDeletionPolicy(p v1alpha1.DeletionPolicy) { m.Policy = p // GetDeletionPolicy gets the DeletionPolicy. func (m *Orphanable) GetDeletionPolicy() v1alpha1.DeletionPolicy { return m.Policy } -// CredentialsSecretReferencer is a mock that satisfies CredentialsSecretReferencer -// interface. -type CredentialsSecretReferencer struct{ Ref *v1alpha1.SecretKeySelector } - -// SetCredentialsSecretReference sets CredentialsSecretReference. -func (m *CredentialsSecretReferencer) SetCredentialsSecretReference(r *v1alpha1.SecretKeySelector) { - m.Ref = r -} - -// GetCredentialsSecretReference gets CredentialsSecretReference. -func (m *CredentialsSecretReferencer) GetCredentialsSecretReference() *v1alpha1.SecretKeySelector { - return m.Ref -} - // CompositionReferencer is a mock that implements CompositionReferencer interface. type CompositionReferencer struct{ Ref *corev1.ObjectReference } @@ -475,8 +461,6 @@ func (m *MockLocalConnectionSecretOwner) DeepCopyObject() runtime.Object { type ProviderConfig struct { metav1.ObjectMeta - CredentialsSecretReferencer - UserCounter v1alpha1.ConditionedStatus } diff --git a/pkg/resource/interfaces.go b/pkg/resource/interfaces.go index 0c2c73087..457591447 100644 --- a/pkg/resource/interfaces.go +++ b/pkg/resource/interfaces.go @@ -65,13 +65,6 @@ type Orphanable interface { GetDeletionPolicy() v1alpha1.DeletionPolicy } -// A CredentialsSecretReferencer may refer to a credential secret in an arbitrary -// namespace. -type CredentialsSecretReferencer interface { - GetCredentialsSecretReference() *v1alpha1.SecretKeySelector - SetCredentialsSecretReference(r *v1alpha1.SecretKeySelector) -} - // A ProviderReferencer may reference a provider resource. type ProviderReferencer interface { GetProviderReference() *v1alpha1.Reference @@ -164,8 +157,6 @@ type ManagedList interface { type ProviderConfig interface { Object - CredentialsSecretReferencer - UserCounter Conditioned } From a0ec11606612018fb68986d9674dd24f60bb800d Mon Sep 17 00:00:00 2001 From: Nic Cope Date: Tue, 6 Oct 2020 21:25:59 -0700 Subject: [PATCH 3/4] Rename 'Native' credentials source to 'InjectedIdentity' After some discussion amongst the community we felt this more accurately represents a credentials source where credentials are derived from the provider pod's identity (i.e. env vars, files, etc). Signed-off-by: Nic Cope --- apis/core/v1alpha1/resource.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apis/core/v1alpha1/resource.go b/apis/core/v1alpha1/resource.go index 97edd7317..b527e09b1 100644 --- a/apis/core/v1alpha1/resource.go +++ b/apis/core/v1alpha1/resource.go @@ -193,11 +193,11 @@ const ( // credentials from a secret. CredentialsSourceSecret CredentialsSource = "Secret" - // CredentialsSourceNative indicates that a provider should acquire - // credentials via its native environment; i.e. via IRSA for AWS, Workload - // Identity for GCP, Pod identity for Azure, or in-cluster authentication - // for the Kubernetes API. - CredentialsSourceNative CredentialsSource = "Native" + // CredentialsSourceInjectedIdentity indicates that a provider should use + // credentials via its (pod's) identity; i.e. via IRSA for AWS, + // Workload Identity for GCP, Pod Identity for Azure, or in-cluster + // authentication for the Kubernetes API. + CredentialsSourceInjectedIdentity CredentialsSource = "InjectedIdentity" ) // ProviderCredentials required to authenticate. From ab7ab7c7c2ef8353276ef7910fab8944f9c9ef09 Mon Sep 17 00:00:00 2001 From: Nic Cope Date: Wed, 7 Oct 2020 15:19:57 -0700 Subject: [PATCH 4/4] Add docstring and enum validation for credentials secret source Signed-off-by: Nic Cope --- apis/core/v1alpha1/resource.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apis/core/v1alpha1/resource.go b/apis/core/v1alpha1/resource.go index b527e09b1..fc89a3e5c 100644 --- a/apis/core/v1alpha1/resource.go +++ b/apis/core/v1alpha1/resource.go @@ -202,6 +202,8 @@ const ( // ProviderCredentials required to authenticate. type ProviderCredentials struct { + // Source of the provider credentials. + // +kubebuilder:validation:Enum=None;Secret;InjectedIdentity Source CredentialsSource `json:"source"` // A CredentialsSecretRef is a reference to a secret key that contains the