diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index f0b6e0a..322c1b9 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -13,5 +13,5 @@ jobs: RUN_UNIT_TESTS: true RUN_INTEGRATION_TESTS: true RUN_HELMCHART_TEST: true - GO_VERSION: ~1.19 + GO_VERSION: ~1.21 OPERATOR_SDK_VERSION: v1.25.3 diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 38734f1..5f6baf5 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -20,5 +20,5 @@ jobs: RUN_UNIT_TESTS: true RUN_INTEGRATION_TESTS: true RUN_HELMCHART_TEST: true - GO_VERSION: ~1.19 + GO_VERSION: ~1.21 OPERATOR_SDK_VERSION: v1.25.3 diff --git a/Dockerfile b/Dockerfile index 569b06b..4251d2f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.19 as builder +FROM golang:1.21 as builder WORKDIR /workspace # Copy the Go Modules manifests diff --git a/api/v1alpha1/authenginemount_types.go b/api/v1alpha1/authenginemount_types.go index 93017b1..a9f6663 100644 --- a/api/v1alpha1/authenginemount_types.go +++ b/api/v1alpha1/authenginemount_types.go @@ -53,6 +53,10 @@ type AuthEngineMountSpec struct { Name string `json:"name,omitempty"` } +func (d *AuthEngineMount) IsDeletable() bool { + return true +} + func (d *AuthEngineMount) GetPath() string { if d.Spec.Name != "" { return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Spec.Name) diff --git a/api/v1alpha1/azureauthengineconfig_types.go b/api/v1alpha1/azureauthengineconfig_types.go index 31f8980..9e062c3 100644 --- a/api/v1alpha1/azureauthengineconfig_types.go +++ b/api/v1alpha1/azureauthengineconfig_types.go @@ -130,6 +130,10 @@ type AzureConfig struct { var _ vaultutils.VaultObject = &AzureAuthEngineConfig{} var _ vaultutils.ConditionsAware = &AzureAuthEngineConfig{} +func (d *AzureAuthEngineConfig) IsDeletable() bool { + return true +} + func (d *AzureAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnection { return d.Spec.Connection } diff --git a/api/v1alpha1/azureauthenginerole_types.go b/api/v1alpha1/azureauthenginerole_types.go index 25a15e8..986e505 100644 --- a/api/v1alpha1/azureauthenginerole_types.go +++ b/api/v1alpha1/azureauthenginerole_types.go @@ -188,6 +188,10 @@ func init() { SchemeBuilder.Register(&AzureAuthEngineRole{}, &AzureAuthEngineRoleList{}) } +func (d *AzureAuthEngineRole) IsDeletable() bool { + return true +} + func (r *AzureAuthEngineRole) GetConditions() []metav1.Condition { return r.Status.Conditions } diff --git a/api/v1alpha1/azuresecretengineconfig_types.go b/api/v1alpha1/azuresecretengineconfig_types.go index 5e5f331..90bdb8d 100644 --- a/api/v1alpha1/azuresecretengineconfig_types.go +++ b/api/v1alpha1/azuresecretengineconfig_types.go @@ -128,6 +128,10 @@ func init() { SchemeBuilder.Register(&AzureSecretEngineConfig{}, &AzureSecretEngineConfigList{}) } +func (d *AzureSecretEngineConfig) IsDeletable() bool { + return true +} + func (r *AzureSecretEngineConfig) SetConditions(conditions []metav1.Condition) { r.Status.Conditions = conditions } diff --git a/api/v1alpha1/databasesecretengineconfig_types.go b/api/v1alpha1/databasesecretengineconfig_types.go index 5c4756e..772150d 100644 --- a/api/v1alpha1/databasesecretengineconfig_types.go +++ b/api/v1alpha1/databasesecretengineconfig_types.go @@ -69,6 +69,10 @@ func (d *DatabaseSecretEngineConfig) GetVaultConnection() *vaultutils.VaultConne return d.Spec.Connection } +func (d *DatabaseSecretEngineConfig) IsDeletable() bool { + return true +} + func (d *DatabaseSecretEngineConfig) GetPath() string { if d.Spec.Name != "" { return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "config" + "/" + d.Spec.Name) diff --git a/api/v1alpha1/databasesecretenginerole_types.go b/api/v1alpha1/databasesecretenginerole_types.go index 51124f2..9e30de2 100644 --- a/api/v1alpha1/databasesecretenginerole_types.go +++ b/api/v1alpha1/databasesecretenginerole_types.go @@ -59,6 +59,10 @@ var _ vaultutils.VaultObject = &DatabaseSecretEngineRole{} var _ vaultutils.ConditionsAware = &DatabaseSecretEngineRole{} +func (d *DatabaseSecretEngineRole) IsDeletable() bool { + return true +} + func (d *DatabaseSecretEngineRole) GetVaultConnection() *vaultutils.VaultConnection { return d.Spec.Connection } diff --git a/api/v1alpha1/databasesecretenginestaticrole_types.go b/api/v1alpha1/databasesecretenginestaticrole_types.go index fcd1b77..a274b20 100644 --- a/api/v1alpha1/databasesecretenginestaticrole_types.go +++ b/api/v1alpha1/databasesecretenginestaticrole_types.go @@ -144,6 +144,10 @@ func (d *DatabaseSecretEngineStaticRole) GetVaultConnection() *vaultutils.VaultC return d.Spec.Connection } +func (d *DatabaseSecretEngineStaticRole) IsDeletable() bool { + return true +} + func (d *DatabaseSecretEngineStaticRole) GetPath() string { if d.Spec.Name != "" { return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "static-roles" + "/" + d.Spec.Name) diff --git a/api/v1alpha1/gcpauthengineconfig_types.go b/api/v1alpha1/gcpauthengineconfig_types.go index 23be1ca..e1159c1 100644 --- a/api/v1alpha1/gcpauthengineconfig_types.go +++ b/api/v1alpha1/gcpauthengineconfig_types.go @@ -84,14 +84,13 @@ type GCPAuthEngineConfigList struct { type GCPConfig struct { - - // Service Account Name. A service account is a special kind of account typically used by an application or compute workload, such as a Compute Engine instance, rather than a person. + // Service Account Name. A service account is a special kind of account typically used by an application or compute workload, such as a Compute Engine instance, rather than a person. // A service account is identified by its email address, which is unique to the account. - // Applications use service accounts to make authorized API calls by authenticating as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation. + // Applications use service accounts to make authorized API calls by authenticating as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation. // When an application authenticates as a service account, it has access to all resources that the service account has permission to access. // +kubebuilder:validation:Optional // +kubebuilder:default="" - ServiceAccount string `json:"serviceAccount,omitempty"` + ServiceAccount string `json:"serviceAccount,omitempty"` // Must be either unique_id or role_id. // If unique_id is specified, the service account's unique ID will be used for alias names during login. @@ -138,7 +137,7 @@ type GCPConfig struct { CustomEndpoint *apiextensionsv1.JSON `json:"customEndpoint,omitempty"` retrievedServiceAccount string `json:"-"` - retrievedCredentials string `json:"-"` + retrievedCredentials string `json:"-"` } var _ vaultutils.VaultObject = &GCPAuthEngineConfig{} @@ -148,6 +147,10 @@ func (d *GCPAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnection { return d.Spec.Connection } +func (d *GCPAuthEngineConfig) IsDeletable() bool { + return false +} + func (r *GCPAuthEngineConfig) GetConditions() []metav1.Condition { return r.Status.Conditions } diff --git a/api/v1alpha1/gcpauthenginerole_types.go b/api/v1alpha1/gcpauthenginerole_types.go index 97882e3..84149fc 100644 --- a/api/v1alpha1/gcpauthenginerole_types.go +++ b/api/v1alpha1/gcpauthenginerole_types.go @@ -215,6 +215,10 @@ func init() { SchemeBuilder.Register(&GCPAuthEngineRole{}, &GCPAuthEngineRoleList{}) } +func (d *GCPAuthEngineRole) IsDeletable() bool { + return true +} + func (r *GCPAuthEngineRole) GetConditions() []metav1.Condition { return r.Status.Conditions } diff --git a/api/v1alpha1/githubsecretengineconfig_types.go b/api/v1alpha1/githubsecretengineconfig_types.go index 8ab3ff5..7c383c1 100644 --- a/api/v1alpha1/githubsecretengineconfig_types.go +++ b/api/v1alpha1/githubsecretengineconfig_types.go @@ -96,6 +96,10 @@ func (d *GitHubSecretEngineConfig) GetVaultConnection() *vaultutils.VaultConnect return d.Spec.Connection } +func (d *GitHubSecretEngineConfig) IsDeletable() bool { + return false +} + func (d *GitHubSecretEngineConfig) GetPath() string { return string(d.Spec.Path) + "/" + "config" } diff --git a/api/v1alpha1/githubsecretenginerole_types.go b/api/v1alpha1/githubsecretenginerole_types.go index ebda73e..2ec7377 100644 --- a/api/v1alpha1/githubsecretenginerole_types.go +++ b/api/v1alpha1/githubsecretenginerole_types.go @@ -115,6 +115,10 @@ func (d *GitHubSecretEngineRole) IsInitialized() bool { return true } +func (d *GitHubSecretEngineRole) IsDeletable() bool { + return true +} + func (d *GitHubSecretEngineRole) PrepareInternalValues(context context.Context, object client.Object) error { return nil } diff --git a/api/v1alpha1/group_types.go b/api/v1alpha1/group_types.go index b2bbfd7..e972647 100644 --- a/api/v1alpha1/group_types.go +++ b/api/v1alpha1/group_types.go @@ -119,6 +119,10 @@ func (m *Group) GetConditions() []metav1.Condition { return m.Status.Conditions } +func (d *Group) IsDeletable() bool { + return true +} + func (m *Group) SetConditions(conditions []metav1.Condition) { m.Status.Conditions = conditions } diff --git a/api/v1alpha1/groupalias_types.go b/api/v1alpha1/groupalias_types.go index b9325b4..039220e 100644 --- a/api/v1alpha1/groupalias_types.go +++ b/api/v1alpha1/groupalias_types.go @@ -107,6 +107,10 @@ func (m *GroupAlias) GetConditions() []metav1.Condition { return m.Status.Conditions } +func (d *GroupAlias) IsDeletable() bool { + return true +} + func (m *GroupAlias) SetConditions(conditions []metav1.Condition) { m.Status.Conditions = conditions } diff --git a/api/v1alpha1/jwtoidcauthengineconfig_types.go b/api/v1alpha1/jwtoidcauthengineconfig_types.go index 6e245a8..34ffcc7 100644 --- a/api/v1alpha1/jwtoidcauthengineconfig_types.go +++ b/api/v1alpha1/jwtoidcauthengineconfig_types.go @@ -174,6 +174,10 @@ func (d *JWTOIDCAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnecti return d.Spec.Connection } +func (d *JWTOIDCAuthEngineConfig) IsDeletable() bool { + return false +} + func (r *JWTOIDCAuthEngineConfig) GetConditions() []metav1.Condition { return r.Status.Conditions } diff --git a/api/v1alpha1/jwtoidcauthenginerole_types.go b/api/v1alpha1/jwtoidcauthenginerole_types.go index d08c034..57fb413 100644 --- a/api/v1alpha1/jwtoidcauthenginerole_types.go +++ b/api/v1alpha1/jwtoidcauthenginerole_types.go @@ -257,6 +257,10 @@ func (d *JWTOIDCAuthEngineRole) GetVaultConnection() *vaultutils.VaultConnection return d.Spec.Connection } +func (d *JWTOIDCAuthEngineRole) IsDeletable() bool { + return true +} + func (r *JWTOIDCAuthEngineRole) GetKubeAuthConfiguration() *vaultutils.KubeAuthConfiguration { return &r.Spec.Authentication } diff --git a/api/v1alpha1/kubernetesauthengineconfig_types.go b/api/v1alpha1/kubernetesauthengineconfig_types.go index 7fec239..79d2d03 100644 --- a/api/v1alpha1/kubernetesauthengineconfig_types.go +++ b/api/v1alpha1/kubernetesauthengineconfig_types.go @@ -85,6 +85,10 @@ func (d *KubernetesAuthEngineConfig) IsInitialized() bool { return true } +func (d *KubernetesAuthEngineConfig) IsDeletable() bool { + return false +} + func (d *KubernetesAuthEngineConfig) PrepareInternalValues(context context.Context, object client.Object) error { log := log.FromContext(context) @@ -144,6 +148,17 @@ type KAECConfig struct { // +kubebuilder:default=false DisableLocalCAJWT bool `json:"disableLocalCAJWT,omitempty"` + // UseOperatorPodCA . This field is considered only if `kubernetesCACert` is not set and `disableLocalCAJWT` is set to true. + // In this case if this field is set to true the operator pod's CA is injected. This is the original behavior before the introduction of this field + // If tis field is set to false, the os ca bundle of where vault is running will be used. + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + UseOperatorPodCA bool `json:"useOperatorPodCA,omitempty"` + + // UseAnnotationsAsAliasMetadata Use annotations from the client token's associated service account as alias metadata for the Vault entity. Only annotations with the vault.hashicorp.com/alias-metadata- key prefix are targeted as alias metadata and your annotations must be 512 characters or less due to the Vault alias metadata value limit. For example, if you configure the annotation vault.hashicorp.com/alias-metadata-foo, Vault saves the string "foo" along with the annotation value to the alias metadata. To save alias metadata, Vault must have permission to read service accounts from the Kubernetes API. + // +kubebuilder:validation:Optional + UseAnnotationsAsAliasMetadata bool `json:"useAnnotationsAsAliasMetadata,omitempty"` + retrievedTokenReviewerJWT string `json:"-"` } @@ -199,6 +214,8 @@ func (i *KAECConfig) toMap() map[string]interface{} { payload["issuer"] = i.Issuer payload["disable_iss_validation"] = i.DisableISSValidation payload["disable_local_ca_jwt"] = i.DisableLocalCAJWT + payload["use_annotations_as_alias_metadata"] = i.UseAnnotationsAsAliasMetadata + return payload } diff --git a/api/v1alpha1/kubernetesauthengineconfig_webhook.go b/api/v1alpha1/kubernetesauthengineconfig_webhook.go index 3d4407d..d2c2efb 100644 --- a/api/v1alpha1/kubernetesauthengineconfig_webhook.go +++ b/api/v1alpha1/kubernetesauthengineconfig_webhook.go @@ -45,7 +45,7 @@ var _ webhook.Defaulter = &KubernetesAuthEngineConfig{} // Default implements webhook.Defaulter so a webhook will be registered for the type func (r *KubernetesAuthEngineConfig) Default() { kubernetesauthengineconfiglog.Info("default", "name", r.Name) - if r.Spec.KubernetesCACert == "" { + if r.Spec.UseOperatorPodCA && r.Spec.KubernetesCACert == "" { b, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") if err != nil { kubernetesauthengineconfiglog.Error(err, "unable to read file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt") diff --git a/api/v1alpha1/kubernetesauthenginerole_types.go b/api/v1alpha1/kubernetesauthenginerole_types.go index d613947..5756450 100644 --- a/api/v1alpha1/kubernetesauthenginerole_types.go +++ b/api/v1alpha1/kubernetesauthenginerole_types.go @@ -67,6 +67,10 @@ func (d *KubernetesAuthEngineRole) GetVaultConnection() *vaultutils.VaultConnect return d.Spec.Connection } +func (d *KubernetesAuthEngineRole) IsDeletable() bool { + return true +} + func (d *KubernetesAuthEngineRole) GetPath() string { if d.Spec.Name != "" { return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/role/" + d.Spec.Name) diff --git a/api/v1alpha1/kubernetessecretengineconfig_types.go b/api/v1alpha1/kubernetessecretengineconfig_types.go index df34088..a7b0af7 100644 --- a/api/v1alpha1/kubernetessecretengineconfig_types.go +++ b/api/v1alpha1/kubernetessecretengineconfig_types.go @@ -106,6 +106,10 @@ func (d *KubernetesSecretEngineConfig) GetVaultConnection() *vaultutils.VaultCon return d.Spec.Connection } +func (d *KubernetesSecretEngineConfig) IsDeletable() bool { + return true +} + func (d *KubernetesSecretEngineConfig) GetPath() string { return string(d.Spec.Path) + "/" + "config" } diff --git a/api/v1alpha1/kubernetessecretenginerole_types.go b/api/v1alpha1/kubernetessecretenginerole_types.go index bc6ab28..4cd7f17 100644 --- a/api/v1alpha1/kubernetessecretenginerole_types.go +++ b/api/v1alpha1/kubernetessecretenginerole_types.go @@ -61,6 +61,10 @@ var _ vaultutils.VaultObject = &KubernetesSecretEngineRole{} var _ vaultutils.ConditionsAware = &KubernetesSecretEngineRole{} +func (d *KubernetesSecretEngineRole) IsDeletable() bool { + return true +} + func (d *KubernetesSecretEngineRole) GetPath() string { if d.Spec.Name != "" { return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "roles" + "/" + d.Spec.Name) diff --git a/api/v1alpha1/ldapauthengineconfig_types.go b/api/v1alpha1/ldapauthengineconfig_types.go index cc735af..95eb78c 100644 --- a/api/v1alpha1/ldapauthengineconfig_types.go +++ b/api/v1alpha1/ldapauthengineconfig_types.go @@ -61,6 +61,10 @@ func (d *LDAPAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnection return d.Spec.Connection } +func (d *LDAPAuthEngineConfig) IsDeletable() bool { + return false +} + func (d *LDAPAuthEngineConfig) GetPath() string { return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/config") } diff --git a/api/v1alpha1/ldapauthenginegroup_types.go b/api/v1alpha1/ldapauthenginegroup_types.go index 4f845e5..dffc382 100644 --- a/api/v1alpha1/ldapauthenginegroup_types.go +++ b/api/v1alpha1/ldapauthenginegroup_types.go @@ -63,6 +63,10 @@ func (d *LDAPAuthEngineGroup) GetPath() string { return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/groups/" + string(d.Spec.Name)) } +func (d *LDAPAuthEngineGroup) IsDeletable() bool { + return true +} + func (d *LDAPAuthEngineGroup) GetPayload() map[string]interface{} { return d.toMap() } diff --git a/api/v1alpha1/passwordpolicy_types.go b/api/v1alpha1/passwordpolicy_types.go index 90a2082..8342bcc 100644 --- a/api/v1alpha1/passwordpolicy_types.go +++ b/api/v1alpha1/passwordpolicy_types.go @@ -54,6 +54,10 @@ func (d *PasswordPolicy) IsInitialized() bool { return true } +func (d *PasswordPolicy) IsDeletable() bool { + return true +} + func (d *PasswordPolicy) PrepareInternalValues(context context.Context, object client.Object) error { return nil } diff --git a/api/v1alpha1/pkisecretengineconfig_types.go b/api/v1alpha1/pkisecretengineconfig_types.go index 553d069..bf9d8ab 100644 --- a/api/v1alpha1/pkisecretengineconfig_types.go +++ b/api/v1alpha1/pkisecretengineconfig_types.go @@ -233,6 +233,10 @@ func (d *PKISecretEngineConfig) GetVaultConnection() *vaultutils.VaultConnection return d.Spec.Connection } +func (d *PKISecretEngineConfig) IsDeletable() bool { + return false +} + func (p *PKISecretEngineConfig) GetPath() string { return string(p.Spec.Path) } diff --git a/api/v1alpha1/pkisecretenginerole_types.go b/api/v1alpha1/pkisecretenginerole_types.go index 464bd35..0f0b1a7 100644 --- a/api/v1alpha1/pkisecretenginerole_types.go +++ b/api/v1alpha1/pkisecretenginerole_types.go @@ -92,6 +92,10 @@ func (r *PKISecretEngineRole) IsValid() (bool, error) { return true, nil } +func (d *PKISecretEngineRole) IsDeletable() bool { + return true +} + type PKIRole struct { // Specifies the Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter. diff --git a/api/v1alpha1/policy_types.go b/api/v1alpha1/policy_types.go index 21ca51f..6bd8eaa 100644 --- a/api/v1alpha1/policy_types.go +++ b/api/v1alpha1/policy_types.go @@ -71,6 +71,10 @@ func (d *Policy) IsInitialized() bool { return true } +func (d *Policy) IsDeletable() bool { + return true +} + func (d *Policy) PrepareInternalValues(context context.Context, object client.Object) error { // Fast path escape if no "${..}" placeholder is detected match, err := regexp.MatchString("\\${[^}]+}", d.Spec.Policy) diff --git a/api/v1alpha1/quaysecretengineconfig_types.go b/api/v1alpha1/quaysecretengineconfig_types.go index 838650c..810eb97 100644 --- a/api/v1alpha1/quaysecretengineconfig_types.go +++ b/api/v1alpha1/quaysecretengineconfig_types.go @@ -59,6 +59,10 @@ func (d *QuaySecretEngineConfig) GetVaultConnection() *vaultutils.VaultConnectio return d.Spec.Connection } +func (d *QuaySecretEngineConfig) IsDeletable() bool { + return false +} + func (q *QuaySecretEngineConfig) GetPath() string { return string(q.Spec.Path) + "/" + "config" } diff --git a/api/v1alpha1/quaysecretenginerole_types.go b/api/v1alpha1/quaysecretenginerole_types.go index b2c2d18..8cbcde8 100644 --- a/api/v1alpha1/quaysecretenginerole_types.go +++ b/api/v1alpha1/quaysecretenginerole_types.go @@ -76,6 +76,10 @@ func (d *QuaySecretEngineRole) GetVaultConnection() *vaultutils.VaultConnection return d.Spec.Connection } +func (d *QuaySecretEngineRole) IsDeletable() bool { + return true +} + func (d *QuaySecretEngineRole) GetPath() string { if d.Spec.Name != "" { return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "roles" + "/" + d.Spec.Name) diff --git a/api/v1alpha1/quaysecretenginestaticrole_types.go b/api/v1alpha1/quaysecretenginestaticrole_types.go index 9d122e4..1056044 100644 --- a/api/v1alpha1/quaysecretenginestaticrole_types.go +++ b/api/v1alpha1/quaysecretenginestaticrole_types.go @@ -74,6 +74,10 @@ func (q *QuaySecretEngineStaticRole) IsInitialized() bool { return true } +func (d *QuaySecretEngineStaticRole) IsDeletable() bool { + return true +} + func (q *QuaySecretEngineStaticRole) PrepareInternalValues(context context.Context, object client.Object) error { return nil } diff --git a/api/v1alpha1/rabbitmqsecretengineconfig_types.go b/api/v1alpha1/rabbitmqsecretengineconfig_types.go index f8d13ab..410f026 100644 --- a/api/v1alpha1/rabbitmqsecretengineconfig_types.go +++ b/api/v1alpha1/rabbitmqsecretengineconfig_types.go @@ -153,6 +153,10 @@ func (m *RabbitMQSecretEngineConfig) SetConditions(conditions []metav1.Condition m.Status.Conditions = conditions } +func (d *RabbitMQSecretEngineConfig) IsDeletable() bool { + return false +} + func (m *RabbitMQSecretEngineConfig) SetUsernameAndPassword(username string, password string) { m.Spec.RMQSEConfig.retrievedUsername = username m.Spec.RMQSEConfig.retrievedPassword = password diff --git a/api/v1alpha1/rabbitmqsecretenginerole_types.go b/api/v1alpha1/rabbitmqsecretenginerole_types.go index b0d6433..96b5b34 100644 --- a/api/v1alpha1/rabbitmqsecretenginerole_types.go +++ b/api/v1alpha1/rabbitmqsecretenginerole_types.go @@ -152,6 +152,10 @@ func (m *RabbitMQSecretEngineRole) GetConditions() []metav1.Condition { return m.Status.Conditions } +func (d *RabbitMQSecretEngineRole) IsDeletable() bool { + return true +} + func (m *RabbitMQSecretEngineRole) SetConditions(conditions []metav1.Condition) { m.Status.Conditions = conditions } diff --git a/api/v1alpha1/randomsecret_types.go b/api/v1alpha1/randomsecret_types.go index ab673d2..b2f3285 100644 --- a/api/v1alpha1/randomsecret_types.go +++ b/api/v1alpha1/randomsecret_types.go @@ -98,6 +98,10 @@ func (d *RandomSecret) GetPath() string { return vaultutils.CleansePath(string(d.Spec.Path) + "/" + d.Name) } +func (d *RandomSecret) IsDeletable() bool { + return true +} + func (d *RandomSecret) getV1Payload() map[string]interface{} { payload := map[string]interface{}{ diff --git a/api/v1alpha1/secretenginemount_types.go b/api/v1alpha1/secretenginemount_types.go index fc963b7..9e0159f 100644 --- a/api/v1alpha1/secretenginemount_types.go +++ b/api/v1alpha1/secretenginemount_types.go @@ -36,6 +36,10 @@ func (d *SecretEngineMount) GetVaultConnection() *vaultutils.VaultConnection { return d.Spec.Connection } +func (d *SecretEngineMount) IsDeletable() bool { + return true +} + func (d *SecretEngineMount) GetPath() string { if d.Spec.Name != "" { return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Spec.Name) diff --git a/api/v1alpha1/utils/vaultobject.go b/api/v1alpha1/utils/vaultobject.go index e51952e..f658461 100644 --- a/api/v1alpha1/utils/vaultobject.go +++ b/api/v1alpha1/utils/vaultobject.go @@ -32,6 +32,7 @@ type VaultObject interface { IsEquivalentToDesiredState(payload map[string]interface{}) bool IsInitialized() bool IsValid() (bool, error) + IsDeletable() bool PrepareInternalValues(context context.Context, object client.Object) error PrepareTLSConfig(context context.Context, object client.Object) error GetKubeAuthConfiguration() *KubeAuthConfiguration diff --git a/config/crd/bases/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml b/config/crd/bases/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml index 1af5d01..f835923 100644 --- a/config/crd/bases/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml +++ b/config/crd/bases/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml @@ -180,6 +180,26 @@ spec: type: string type: object x-kubernetes-map-type: atomic + useAnnotationsAsAliasMetadata: + description: UseAnnotationsAsAliasMetadata Use annotations from the + client token's associated service account as alias metadata for + the Vault entity. Only annotations with the vault.hashicorp.com/alias-metadata- + key prefix are targeted as alias metadata and your annotations must + be 512 characters or less due to the Vault alias metadata value + limit. For example, if you configure the annotation vault.hashicorp.com/alias-metadata-foo, + Vault saves the string "foo" along with the annotation value to + the alias metadata. To save alias metadata, Vault must have permission + to read service accounts from the Kubernetes API. + type: boolean + useOperatorPodCA: + default: true + description: UseOperatorPodCA . This field is considered only if `kubernetesCACert` + is not set and `disableLocalCAJWT` is set to true. In this case + if this field is set to true the operator pod's CA is injected. + This is the original behavior before the introduction of this field + If tis field is set to false, the os ca bundle of where vault is + running will be used. + type: boolean type: object status: description: KubernetesAuthEngineConfigStatus defines the observed state diff --git a/config/local-development/vault-values.yaml b/config/local-development/vault-values.yaml index 30b3ee7..0f742eb 100644 --- a/config/local-development/vault-values.yaml +++ b/config/local-development/vault-values.yaml @@ -9,21 +9,21 @@ injector: enabled: false image: repository: "registry.connect.redhat.com/hashicorp/vault-k8s" - tag: "1.2.1-ubi" + tag: "1.4.2-ubi" agentImage: repository: "registry.connect.redhat.com/hashicorp/vault" - tag: "1.14.0-ubi" + tag: "1.17.1-ubi" csi: image: repository: "docker.io/hashicorp/vault-csi-provider" - tag: "1.2.1" + tag: "1.4.2" pullPolicy: IfNotPresent server: image: - tag: "1.14.0-ubi" + tag: "1.17.1-ubi" repository: registry.connect.redhat.com/hashicorp/vault extraEnvironmentVars: @@ -108,7 +108,7 @@ server: extraContainers: # you should not do this in production - name: auto-initializer - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.1-ubi env: - name: NAMESPACE valueFrom: @@ -145,7 +145,7 @@ server: mountPath: /usr/local/libexec/vault # you should not do this in production - name: auto-unsealer - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.1-ubi env: - name: VAULT_SKIP_VERIFY value: "true" @@ -178,7 +178,7 @@ server: - name: vault-root-token mountPath: /vault-root-token - name: github-module-loader - image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi + image: registry.connect.redhat.com/hashicorp/vault:1.17.1-ubi env: - name: VAULT_SKIP_VERIFY value: "true" diff --git a/controllers/azuresecretengineconfig_controller.go b/controllers/azuresecretengineconfig_controller.go index 8dff740..a820748 100644 --- a/controllers/azuresecretengineconfig_controller.go +++ b/controllers/azuresecretengineconfig_controller.go @@ -192,7 +192,6 @@ func (r *AzureSecretEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager) e } - func (r *AzureSecretEngineConfigReconciler) findApplicableASEForSecret(ctx context.Context, secret *corev1.Secret) ([]redhatcopv1alpha1.AzureSecretEngineConfig, error) { result := []redhatcopv1alpha1.AzureSecretEngineConfig{} vrl := &redhatcopv1alpha1.AzureSecretEngineConfigList{} diff --git a/controllers/vaultresourcecontroller/utils.go b/controllers/vaultresourcecontroller/utils.go index 04cf08e..24a4676 100644 --- a/controllers/vaultresourcecontroller/utils.go +++ b/controllers/vaultresourcecontroller/utils.go @@ -112,6 +112,7 @@ func NewFromManager(mgr manager.Manager, controllerName string) ReconcilerBase { func ManageOutcomeWithRequeue(context context.Context, r ReconcilerBase, obj client.Object, issue error, requeueAfter time.Duration) (reconcile.Result, error) { log := log.FromContext(context) conditionsAware := (obj).(vaultutils.ConditionsAware) + var condition metav1.Condition if issue == nil { condition = metav1.Condition{ @@ -138,15 +139,30 @@ func ManageOutcomeWithRequeue(context context.Context, r ReconcilerBase, obj cli log.Error(err, "unable to update status") return reconcile.Result{}, err } - if issue == nil && !controllerutil.ContainsFinalizer(obj, vaultutils.GetFinalizer(obj)) { - controllerutil.AddFinalizer(obj, vaultutils.GetFinalizer(obj)) - // BEWARE: this call *mutates* the object in memory with Kube's response, there *must be invoked last* - err := r.GetClient().Update(context, obj) - if err != nil { - log.Error(err, "unable to add reconciler") - return reconcile.Result{}, err + if vaultObject, ok := obj.(vaultutils.VaultObject); ok { + if vaultObject.IsDeletable() { + if issue == nil && !controllerutil.ContainsFinalizer(obj, vaultutils.GetFinalizer(obj)) { + controllerutil.AddFinalizer(obj, vaultutils.GetFinalizer(obj)) + // BEWARE: this call *mutates* the object in memory with Kube's response, there *must be invoked last* + err := r.GetClient().Update(context, obj) + if err != nil { + log.Error(err, "unable to add reconciler") + return reconcile.Result{}, err + } + } + } + } else { + if issue == nil && !controllerutil.ContainsFinalizer(obj, vaultutils.GetFinalizer(obj)) { + controllerutil.AddFinalizer(obj, vaultutils.GetFinalizer(obj)) + // BEWARE: this call *mutates* the object in memory with Kube's response, there *must be invoked last* + err := r.GetClient().Update(context, obj) + if err != nil { + log.Error(err, "unable to add reconciler") + return reconcile.Result{}, err + } } } + return reconcile.Result{RequeueAfter: requeueAfter}, issue } diff --git a/controllers/vaultresourcecontroller/vaultengineresourcereconciler.go b/controllers/vaultresourcecontroller/vaultengineresourcereconciler.go index 81c846d..a402a4e 100644 --- a/controllers/vaultresourcecontroller/vaultengineresourcereconciler.go +++ b/controllers/vaultresourcecontroller/vaultengineresourcereconciler.go @@ -42,7 +42,12 @@ func NewVaultEngineResource(reconcilerBase *ReconcilerBase, obj client.Object) * func (r *VaultEngineResource) manageCleanUpLogic(context context.Context, instance client.Object) error { log := log.FromContext(context) - // we delete this only if it has actually been created. We assume that if there was a successful reconcyle cycle the resource was created in Vault + if vaultObject, ok := instance.(vaultutils.VaultObject); ok { + if !vaultObject.IsDeletable() { + return nil + } + } + // we delete this only if it has actually been created. We assume that if there was a successful reconcile cycle the resource was created in Vault if conditionAware, ok := instance.(vaultutils.ConditionsAware); ok { for _, condition := range conditionAware.GetConditions() { if condition.Status == metav1.ConditionTrue && condition.Type == ReconcileSuccessful { diff --git a/controllers/vaultresourcecontroller/vaultpkiengineresourcereconciler.go b/controllers/vaultresourcecontroller/vaultpkiengineresourcereconciler.go index 46f1962..c8a9200 100644 --- a/controllers/vaultresourcecontroller/vaultpkiengineresourcereconciler.go +++ b/controllers/vaultresourcecontroller/vaultpkiengineresourcereconciler.go @@ -42,6 +42,11 @@ func NewVaultPKIEngineResource(reconcilerBase *ReconcilerBase, obj client.Object func (r *VaultPKIEngineResource) manageCleanUpLogic(context context.Context, instance client.Object) error { log := log.FromContext(context) + if vaultObject, ok := instance.(vaultutils.VaultObject); ok { + if !vaultObject.IsDeletable() { + return nil + } + } if conditionAware, ok := instance.(vaultutils.ConditionsAware); ok { for _, condition := range conditionAware.GetConditions() { if condition.Status == metav1.ConditionTrue && condition.Type == ReconcileSuccessful { diff --git a/controllers/vaultresourcecontroller/vaultresourcereconciler.go b/controllers/vaultresourcecontroller/vaultresourcereconciler.go index e1019ac..0e6d81f 100644 --- a/controllers/vaultresourcecontroller/vaultresourcereconciler.go +++ b/controllers/vaultresourcecontroller/vaultresourcereconciler.go @@ -73,6 +73,11 @@ func (r *VaultResource) Reconcile(ctx context.Context, instance client.Object) ( func (r *VaultResource) manageCleanUpLogic(context context.Context, instance client.Object) error { log := log.FromContext(context) + if vaultObject, ok := instance.(vaultutils.VaultObject); ok { + if !vaultObject.IsDeletable() { + return nil + } + } if conditionAware, ok := instance.(vaultutils.ConditionsAware); ok { for _, condition := range conditionAware.GetConditions() { if condition.Status == metav1.ConditionTrue && condition.Type == ReconcileSuccessful { diff --git a/docs/auth-engines.md b/docs/auth-engines.md index 59e26f7..13c6c40 100644 --- a/docs/auth-engines.md +++ b/docs/auth-engines.md @@ -58,7 +58,15 @@ The `path` field specifies the path to configure. the complete path of the confi The `tokenReviewerServiceAccount.name` field specifies the service account to be used to perform the token review. This account must exists and must be granted the TokenReviews create permission. If not specified it will default to `default`. -The `kubernetesCACert` field is the base64 encoded CA certificate that can be used to validate the connection to the master API. It will default to the content of the file `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"`. This default should work for most cases. +The `kubernetesCACert` field is the base64 encoded CA certificate that can be used to validate the connection to the master API. If passed, that CA bundle will be used. Consult the following table to see what happens when the field is not passed + +| `kubernetesCACert` | `disableLocalCAJWT` | `useOperatorPodCA` | Behaviour | +| -------- | ------- | -------- | ------- | +| set | ignored | ignored | the set CA is used | +| unset | false | ignored | the `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` of the Vault's pod is used. If Vault is not running in a pod, then the behavior is undefined | +| unset | true | false | the default os CA where Vault is running is used | +| unset | true | true | the `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` the operator pod is inject and used | + The `kubernetesHost` field defines the master api endpoint. It defaults to `https://kubernetes.default.svc:443` and it should work most cases. diff --git a/go.mod b/go.mod index ed450e1..4ba4dfb 100644 --- a/go.mod +++ b/go.mod @@ -1,16 +1,18 @@ module github.com/redhat-cop/vault-config-operator -go 1.19 +go 1.21 + +toolchain go1.21.8 require ( - github.com/BurntSushi/toml v1.2.1 + github.com/BurntSushi/toml v1.4.0 github.com/Masterminds/sprig/v3 v3.2.3 - github.com/go-logr/logr v1.2.4 + github.com/go-logr/logr v1.4.2 github.com/hashicorp/go-multierror v1.1.1 - github.com/hashicorp/hcl/v2 v2.17.0 - github.com/hashicorp/vault/api v1.9.2 - github.com/onsi/ginkgo/v2 v2.9.5 - github.com/onsi/gomega v1.27.7 + github.com/hashicorp/hcl/v2 v2.21.0 + github.com/hashicorp/vault/api v1.14.0 + github.com/onsi/ginkgo/v2 v2.19.0 + github.com/onsi/gomega v1.33.1 github.com/pkg/errors v0.9.1 github.com/scylladb/go-set v1.0.2 k8s.io/api v0.27.3 @@ -26,6 +28,7 @@ require ( github.com/Masterminds/semver/v3 v3.2.0 // indirect github.com/agext/levenshtein v1.2.1 // indirect github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect + github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v3 v3.0.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect @@ -34,23 +37,23 @@ require ( github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/go-jose/go-jose/v3 v3.0.0 // indirect + github.com/go-jose/go-jose/v4 v4.0.1 // indirect github.com/go-logr/zapr v1.2.4 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.1 // indirect github.com/go-openapi/swag v0.22.3 // indirect - github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.1.0 // indirect - github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect github.com/google/uuid v1.3.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-retryablehttp v0.6.6 // indirect + github.com/hashicorp/go-retryablehttp v0.7.6 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect @@ -75,7 +78,6 @@ require ( github.com/prometheus/common v0.42.0 // indirect github.com/prometheus/procfs v0.9.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect - github.com/sergi/go-diff v1.1.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect github.com/spf13/cast v1.3.1 // indirect github.com/spf13/pflag v1.0.5 // indirect @@ -83,17 +85,19 @@ require ( go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.6.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/crypto v0.6.0 // indirect - golang.org/x/net v0.10.0 // indirect + golang.org/x/crypto v0.23.0 // indirect + golang.org/x/mod v0.17.0 // indirect + golang.org/x/net v0.25.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/term v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/sync v0.7.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.9.1 // indirect + golang.org/x/tools v0.21.0 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index 75c2ad0..fc275ec 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= -github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= +github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver/v3 v3.2.0 h1:3MEsd0SM6jqZojhjLWWeBY+Kcjy9i6MQAeY7YgDP83g= @@ -12,6 +12,8 @@ github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tj github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= +github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= @@ -23,9 +25,6 @@ github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4r github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -40,17 +39,19 @@ github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCv github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/fatih/set v0.2.1 h1:nn2CaJyknWE/6txyUDGwysr3G5QC6xWB/PtVjPBbeaA= github.com/fatih/set v0.2.1/go.mod h1:+RKtMCH+favT2+3YecHGxcc0b4KyVWA1QWWJUs4E0CI= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= -github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= +github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= +github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= @@ -59,9 +60,10 @@ github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTr github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -87,31 +89,29 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v0.16.2 h1:K4ev2ib4LdQETX5cSZBG0DVLk1jwGqSPXBjdah3veNs= +github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= +github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM= -github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= +github.com/hashicorp/go-retryablehttp v0.7.6 h1:TwRYfx2z2C4cLbXmT8I5PgP/xmuqASDyiVuGYfs9GZM= +github.com/hashicorp/go-retryablehttp v0.7.6/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= @@ -123,13 +123,12 @@ github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0S github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/hcl/v2 v2.17.0 h1:z1XvSUyXd1HP10U4lrLg5e0JMVz6CPaJvAgxM0KNZVY= -github.com/hashicorp/hcl/v2 v2.17.0/go.mod h1:gJyW2PTShkJqQBKpAmPO3yxMxIuoXkOF2TpqXzrQyx4= -github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3Cl2as= -github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= +github.com/hashicorp/hcl/v2 v2.21.0 h1:lve4q/o/2rqwYOgUg3y3V2YPyD1/zkCLGjIV74Jit14= +github.com/hashicorp/hcl/v2 v2.21.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA= +github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU= +github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk= github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4= github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= @@ -144,17 +143,19 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= -github.com/mattn/go-colorable v0.1.6 h1:6Su7aK7lXmJ/U79bYtBjLNaha4Fs1Rg9plHpcH+vvnE= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= -github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= @@ -176,10 +177,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= -github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= -github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -196,13 +197,12 @@ github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/scylladb/go-set v1.0.2 h1:SkvlMCKhP0wyyct6j+0IHJkBkSZL+TDzZ4E7f7BCcRE= github.com/scylladb/go-set v1.0.2/go.mod h1:DkpGd78rljTxKAnTDPFqXSGxvETQnJyuSOQwsHycqfs= -github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng= @@ -215,37 +215,38 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zclconf/go-cty v1.13.0 h1:It5dfKTTZHe9aeppbNOda3mN7Ag7sg6QkBNm6TkyFa0= github.com/zclconf/go-cty v1.13.0/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= +github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo= +github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc= -golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -255,7 +256,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -269,8 +271,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= @@ -282,11 +284,12 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -296,20 +299,20 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -322,8 +325,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= -golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -351,8 +354,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -361,7 +364,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= diff --git a/main.go b/main.go index 846e818..834311f 100644 --- a/main.go +++ b/main.go @@ -307,7 +307,7 @@ func main() { setupLog.Error(err, "unable to create webhook", "webhook", "AzureAuthEngineRole") os.Exit(1) } - + if err = (&redhatcopv1alpha1.GCPAuthEngineConfig{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "GCPAuthEngineConfig") os.Exit(1) @@ -316,7 +316,7 @@ func main() { setupLog.Error(err, "unable to create webhook", "webhook", "GCPAuthEngineRole") os.Exit(1) } - + if err = (&redhatcopv1alpha1.VaultSecret{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "VaultSecret") os.Exit(1) diff --git a/readme.md b/readme.md index 389ee21..0d3415b 100644 --- a/readme.md +++ b/readme.md @@ -14,6 +14,7 @@ - [Contributing a new Vault type](#contributing-a-new-vault-type) - [Initializing the connection to Vault](#initializing-the-connection-to-vault) - [The Common connection section](#the-common-connection-section) + - [Node on deleting resources](#note-on-deleting-resources) - [Deploying the Operator](#deploying-the-operator) - [Multiarch Support](#multiarch-support) - [Deploying from OperatorHub](#deploying-from-operatorhub) @@ -197,6 +198,11 @@ Here is an example: This section features the same options that are available via environment variables when using the `vault` client. Keep in mind that this configuration override the default explained above, so you need to specify only the field that need to be different. +## Note on deleting resources + +As mentioned in the introduction, this operator is built on the philosophy of a one to one high fidelity mapping between CRDs and vault APIs. Some Vault APIs though are not fully REST compliant. In particular some resources cannot be deleted. This mostly happens on configuration resources (either authentication or secret engine configuration). Configuration resources in general cannot be deleted when there is a 1 to 1 relationship (as opposed to one to many) between the mount and the configuration. +CRDs corresponding to configuration resources can be identified by the Config postfix. When a CRD of a non deletable configuration is deleted in Kubernetes, this result in a no-op. The only way to delete the configuration is to also delete the corresponding mount. + ## Deploying the Operator This is a cluster-level operator that you can deploy in any namespace, `vault-config-operator` is recommended. @@ -526,6 +532,13 @@ oc apply -f ./test/kube-auth-engine-config.yaml -n vault-admin oc apply -f ./test/kube-auth-engine-role.yaml -n vault-admin ``` +Kube auth engine use vault pod OS ca bundle + +```sh +oc apply -f ./test/kube-auth-engine-mount.yaml -n vault-admin +oc apply -f ./test/kube-auth-engine-config-vault-pod-ca.yaml -n vault-admin +``` + Github secret engine create a github application following the instructions [here](https://github.com/martinbaillie/vault-plugin-secrets-github#setup-github). diff --git a/test/kube-auth-engine-config-vault-pod-ca.yaml b/test/kube-auth-engine-config-vault-pod-ca.yaml new file mode 100644 index 0000000..bbda662 --- /dev/null +++ b/test/kube-auth-engine-config-vault-pod-ca.yaml @@ -0,0 +1,13 @@ +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: KubernetesAuthEngineConfig +metadata: + name: authenginemount-sample +spec: + authentication: + path: kubernetes + role: policy-admin + path: kube-authengine-mount-sample + disableISSValidation: true + disableLocalCAJWT: true + useOperatorPodCA: false + kubernetesHost: https://api.${cluster_base_domain}:6443 \ No newline at end of file