v1alpha1

package
v1.4.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 20, 2024 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

+kubebuilder:object:generate=true +groupName=jwt.vault.upbound.io +versionName=v1alpha1

Index

Constants

View Source
const (
	CRDGroup   = "jwt.vault.upbound.io"
	CRDVersion = "v1alpha1"
)

Package type metadata.

Variables

View Source
var (
	AuthBackendRole_Kind             = "AuthBackendRole"
	AuthBackendRole_GroupKind        = schema.GroupKind{Group: CRDGroup, Kind: AuthBackendRole_Kind}.String()
	AuthBackendRole_KindAPIVersion   = AuthBackendRole_Kind + "." + CRDGroupVersion.String()
	AuthBackendRole_GroupVersionKind = CRDGroupVersion.WithKind(AuthBackendRole_Kind)
)

Repository type metadata.

View Source
var (
	// CRDGroupVersion is the API Group Version used to register the objects
	CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type AuthBackendRole

type AuthBackendRole struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || (has(self.initProvider) && has(self.initProvider.roleName))",message="spec.forProvider.roleName is a required parameter"
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.userClaim) || (has(self.initProvider) && has(self.initProvider.userClaim))",message="spec.forProvider.userClaim is a required parameter"
	Spec   AuthBackendRoleSpec   `json:"spec"`
	Status AuthBackendRoleStatus `json:"status,omitempty"`
}

AuthBackendRole is the Schema for the AuthBackendRoles API. Manages JWT/OIDC auth backend roles in Vault. +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault}

func (*AuthBackendRole) DeepCopy

func (in *AuthBackendRole) DeepCopy() *AuthBackendRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRole.

func (*AuthBackendRole) DeepCopyInto

func (in *AuthBackendRole) DeepCopyInto(out *AuthBackendRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthBackendRole) DeepCopyObject

func (in *AuthBackendRole) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthBackendRole) GetCondition

func (mg *AuthBackendRole) GetCondition(ct xpv1.ConditionType) xpv1.Condition

GetCondition of this AuthBackendRole.

func (*AuthBackendRole) GetConnectionDetailsMapping

func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string

GetConnectionDetailsMapping for this AuthBackendRole

func (*AuthBackendRole) GetDeletionPolicy

func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy

GetDeletionPolicy of this AuthBackendRole.

func (*AuthBackendRole) GetID

func (tr *AuthBackendRole) GetID() string

GetID returns ID of underlying Terraform resource of this AuthBackendRole

func (*AuthBackendRole) GetInitParameters

func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error)

GetInitParameters of this AuthBackendRole

func (*AuthBackendRole) GetManagementPolicies

func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies

GetManagementPolicies of this AuthBackendRole.

func (*AuthBackendRole) GetMergedParameters

func (tr *AuthBackendRole) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error)

GetInitParameters of this AuthBackendRole

func (*AuthBackendRole) GetObservation

func (tr *AuthBackendRole) GetObservation() (map[string]any, error)

GetObservation of this AuthBackendRole

func (*AuthBackendRole) GetParameters

func (tr *AuthBackendRole) GetParameters() (map[string]any, error)

GetParameters of this AuthBackendRole

func (*AuthBackendRole) GetProviderConfigReference

func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference

GetProviderConfigReference of this AuthBackendRole.

func (*AuthBackendRole) GetPublishConnectionDetailsTo

func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo

GetPublishConnectionDetailsTo of this AuthBackendRole.

func (*AuthBackendRole) GetTerraformResourceType

func (mg *AuthBackendRole) GetTerraformResourceType() string

GetTerraformResourceType returns Terraform resource type for this AuthBackendRole

func (*AuthBackendRole) GetTerraformSchemaVersion

func (tr *AuthBackendRole) GetTerraformSchemaVersion() int

GetTerraformSchemaVersion returns the associated Terraform schema version

func (*AuthBackendRole) GetWriteConnectionSecretToReference

func (mg *AuthBackendRole) GetWriteConnectionSecretToReference() *xpv1.SecretReference

GetWriteConnectionSecretToReference of this AuthBackendRole.

func (*AuthBackendRole) Hub

func (tr *AuthBackendRole) Hub()

Hub marks this type as a conversion hub.

func (*AuthBackendRole) LateInitialize

func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error)

LateInitialize this AuthBackendRole using its observed tfState. returns True if there are any spec changes for the resource.

func (*AuthBackendRole) SetConditions

func (mg *AuthBackendRole) SetConditions(c ...xpv1.Condition)

SetConditions of this AuthBackendRole.

func (*AuthBackendRole) SetDeletionPolicy

func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy)

SetDeletionPolicy of this AuthBackendRole.

func (*AuthBackendRole) SetManagementPolicies

func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies)

SetManagementPolicies of this AuthBackendRole.

func (*AuthBackendRole) SetObservation

func (tr *AuthBackendRole) SetObservation(obs map[string]any) error

SetObservation for this AuthBackendRole

func (*AuthBackendRole) SetParameters

func (tr *AuthBackendRole) SetParameters(params map[string]any) error

SetParameters for this AuthBackendRole

func (*AuthBackendRole) SetProviderConfigReference

func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference)

SetProviderConfigReference of this AuthBackendRole.

func (*AuthBackendRole) SetPublishConnectionDetailsTo

func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)

SetPublishConnectionDetailsTo of this AuthBackendRole.

func (*AuthBackendRole) SetWriteConnectionSecretToReference

func (mg *AuthBackendRole) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)

SetWriteConnectionSecretToReference of this AuthBackendRole.

type AuthBackendRoleInitParameters

type AuthBackendRoleInitParameters struct {

	// The list of allowed values for redirect_uri during OIDC logins.
	// Required for OIDC roles
	// The list of allowed values for redirect_uri during OIDC logins.
	// +listType=set
	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`

	// The unique name of the auth backend to configure.
	// Defaults to jwt.
	// Unique name of the auth backend to configure.
	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`

	// List of aud claims to match against. Any match is sufficient.
	// List of aud claims to match against. Any match is sufficient.
	// +listType=set
	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`

	// If set, a map of claims to values to match against.
	// A claim's value must be a string, which may contain one value or multiple
	// comma-separated values, e.g. "red" or "red,green,blue".
	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
	// +mapType=granular
	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`

	// How to interpret values in the claims/values
	// map (bound_claims): can be either string (exact match) or glob (wildcard
	// match). Requires Vault 1.4.0 or above.
	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`

	// If set, requires that the sub claim matches
	// this value.
	// If set, requires that the sub claim matches this value.
	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`

	// If set, a map of claims (keys) to be copied
	// to specified metadata fields (values).
	// Map of claims (keys) to be copied to specified metadata fields (values).
	// +mapType=granular
	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`

	// The amount of leeway to add to all claims to account for clock skew, in
	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`

	// Disable bound claim value parsing. Useful when values contain commas.
	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`

	// The amount of leeway to add to expiration (exp) claims to account for
	// clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`

	// The claim to use to uniquely identify
	// the set of groups to which the user belongs; this will be used as the names
	// for the Identity group aliases created due to a successful login. The claim
	// value must be a list of strings.
	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`

	// Specifies the allowable elapsed time in seconds since the last time
	// the user was actively authenticated with the OIDC provider.
	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// The amount of leeway to add to not before (nbf) claims to account for
	// clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`

	// If set, a list of OIDC scopes to be used with an OIDC role.
	// The standard scope "openid" is automatically included and need not be specified.
	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
	// +listType=set
	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`

	// The name of the role.
	// Name of the role.
	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`

	// Type of role, either "oidc" (default) or "jwt".
	// Type of role, either "oidc" (default) or "jwt"
	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`

	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	// +listType=set
	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`

	// If set, will encode an
	// explicit max TTL
	// onto the token in number of seconds. This is a hard cap even if token_ttl and
	// token_max_ttl would otherwise allow a renewal.
	// Generated Token's Explicit Maximum TTL in seconds
	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The maximum lifetime of the generated token
	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`

	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`

	// The maximum number
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`

	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	// Generated Token's Period
	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`

	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	// Generated Token's Policies
	// +listType=set
	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`

	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The initial ttl of the token to generate in seconds
	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`

	// The type of token that should be generated. Can be service,
	// batch, or default to use the mount's tuned default (which unless changed will be
	// service tokens). For token store roles, there are two additional possibilities:
	// default-service and default-batch which specify the type to return unless the client
	// requests a different type at generation time.
	// The type of token to generate, service or batch
	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`

	// The claim to use to uniquely identify
	// the user; this will be used as the name for the Identity entity alias created
	// due to a successful login.
	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`

	// Specifies if the user_claim value uses
	// JSON pointer
	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	// Requires Vault 1.11+.
	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`

	// Log received OIDC tokens and claims when debug-level
	// logging is active. Not recommended in production since sensitive information may be present
	// in OIDC responses.
	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
}

func (*AuthBackendRoleInitParameters) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.

func (*AuthBackendRoleInitParameters) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRoleList

type AuthBackendRoleList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AuthBackendRole `json:"items"`
}

AuthBackendRoleList contains a list of AuthBackendRoles

func (*AuthBackendRoleList) DeepCopy

func (in *AuthBackendRoleList) DeepCopy() *AuthBackendRoleList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleList.

func (*AuthBackendRoleList) DeepCopyInto

func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthBackendRoleList) DeepCopyObject

func (in *AuthBackendRoleList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthBackendRoleList) GetItems

func (l *AuthBackendRoleList) GetItems() []resource.Managed

GetItems of this AuthBackendRoleList.

type AuthBackendRoleObservation

type AuthBackendRoleObservation struct {

	// The list of allowed values for redirect_uri during OIDC logins.
	// Required for OIDC roles
	// The list of allowed values for redirect_uri during OIDC logins.
	// +listType=set
	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`

	// The unique name of the auth backend to configure.
	// Defaults to jwt.
	// Unique name of the auth backend to configure.
	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`

	// List of aud claims to match against. Any match is sufficient.
	// List of aud claims to match against. Any match is sufficient.
	// +listType=set
	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`

	// If set, a map of claims to values to match against.
	// A claim's value must be a string, which may contain one value or multiple
	// comma-separated values, e.g. "red" or "red,green,blue".
	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
	// +mapType=granular
	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`

	// How to interpret values in the claims/values
	// map (bound_claims): can be either string (exact match) or glob (wildcard
	// match). Requires Vault 1.4.0 or above.
	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`

	// If set, requires that the sub claim matches
	// this value.
	// If set, requires that the sub claim matches this value.
	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`

	// If set, a map of claims (keys) to be copied
	// to specified metadata fields (values).
	// Map of claims (keys) to be copied to specified metadata fields (values).
	// +mapType=granular
	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`

	// The amount of leeway to add to all claims to account for clock skew, in
	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`

	// Disable bound claim value parsing. Useful when values contain commas.
	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`

	// The amount of leeway to add to expiration (exp) claims to account for
	// clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`

	// The claim to use to uniquely identify
	// the set of groups to which the user belongs; this will be used as the names
	// for the Identity group aliases created due to a successful login. The claim
	// value must be a list of strings.
	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`

	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// Specifies the allowable elapsed time in seconds since the last time
	// the user was actively authenticated with the OIDC provider.
	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// The amount of leeway to add to not before (nbf) claims to account for
	// clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`

	// If set, a list of OIDC scopes to be used with an OIDC role.
	// The standard scope "openid" is automatically included and need not be specified.
	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
	// +listType=set
	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`

	// The name of the role.
	// Name of the role.
	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`

	// Type of role, either "oidc" (default) or "jwt".
	// Type of role, either "oidc" (default) or "jwt"
	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`

	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	// +listType=set
	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`

	// If set, will encode an
	// explicit max TTL
	// onto the token in number of seconds. This is a hard cap even if token_ttl and
	// token_max_ttl would otherwise allow a renewal.
	// Generated Token's Explicit Maximum TTL in seconds
	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The maximum lifetime of the generated token
	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`

	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`

	// The maximum number
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`

	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	// Generated Token's Period
	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`

	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	// Generated Token's Policies
	// +listType=set
	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`

	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The initial ttl of the token to generate in seconds
	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`

	// The type of token that should be generated. Can be service,
	// batch, or default to use the mount's tuned default (which unless changed will be
	// service tokens). For token store roles, there are two additional possibilities:
	// default-service and default-batch which specify the type to return unless the client
	// requests a different type at generation time.
	// The type of token to generate, service or batch
	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`

	// The claim to use to uniquely identify
	// the user; this will be used as the name for the Identity entity alias created
	// due to a successful login.
	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`

	// Specifies if the user_claim value uses
	// JSON pointer
	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	// Requires Vault 1.11+.
	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`

	// Log received OIDC tokens and claims when debug-level
	// logging is active. Not recommended in production since sensitive information may be present
	// in OIDC responses.
	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
}

func (*AuthBackendRoleObservation) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleObservation.

func (*AuthBackendRoleObservation) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRoleParameters

type AuthBackendRoleParameters struct {

	// The list of allowed values for redirect_uri during OIDC logins.
	// Required for OIDC roles
	// The list of allowed values for redirect_uri during OIDC logins.
	// +kubebuilder:validation:Optional
	// +listType=set
	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`

	// The unique name of the auth backend to configure.
	// Defaults to jwt.
	// Unique name of the auth backend to configure.
	// +kubebuilder:validation:Optional
	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`

	// List of aud claims to match against. Any match is sufficient.
	// List of aud claims to match against. Any match is sufficient.
	// +kubebuilder:validation:Optional
	// +listType=set
	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`

	// If set, a map of claims to values to match against.
	// A claim's value must be a string, which may contain one value or multiple
	// comma-separated values, e.g. "red" or "red,green,blue".
	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
	// +kubebuilder:validation:Optional
	// +mapType=granular
	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`

	// How to interpret values in the claims/values
	// map (bound_claims): can be either string (exact match) or glob (wildcard
	// match). Requires Vault 1.4.0 or above.
	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
	// +kubebuilder:validation:Optional
	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`

	// If set, requires that the sub claim matches
	// this value.
	// If set, requires that the sub claim matches this value.
	// +kubebuilder:validation:Optional
	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`

	// If set, a map of claims (keys) to be copied
	// to specified metadata fields (values).
	// Map of claims (keys) to be copied to specified metadata fields (values).
	// +kubebuilder:validation:Optional
	// +mapType=granular
	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`

	// The amount of leeway to add to all claims to account for clock skew, in
	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	// +kubebuilder:validation:Optional
	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`

	// Disable bound claim value parsing. Useful when values contain commas.
	// +kubebuilder:validation:Optional
	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`

	// The amount of leeway to add to expiration (exp) claims to account for
	// clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	// +kubebuilder:validation:Optional
	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`

	// The claim to use to uniquely identify
	// the set of groups to which the user belongs; this will be used as the names
	// for the Identity group aliases created due to a successful login. The claim
	// value must be a list of strings.
	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
	// +kubebuilder:validation:Optional
	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`

	// Specifies the allowable elapsed time in seconds since the last time
	// the user was actively authenticated with the OIDC provider.
	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
	// +kubebuilder:validation:Optional
	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	// +kubebuilder:validation:Optional
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// The amount of leeway to add to not before (nbf) claims to account for
	// clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	// +kubebuilder:validation:Optional
	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`

	// If set, a list of OIDC scopes to be used with an OIDC role.
	// The standard scope "openid" is automatically included and need not be specified.
	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
	// +kubebuilder:validation:Optional
	// +listType=set
	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`

	// The name of the role.
	// Name of the role.
	// +kubebuilder:validation:Optional
	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`

	// Type of role, either "oidc" (default) or "jwt".
	// Type of role, either "oidc" (default) or "jwt"
	// +kubebuilder:validation:Optional
	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`

	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	// +kubebuilder:validation:Optional
	// +listType=set
	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`

	// If set, will encode an
	// explicit max TTL
	// onto the token in number of seconds. This is a hard cap even if token_ttl and
	// token_max_ttl would otherwise allow a renewal.
	// Generated Token's Explicit Maximum TTL in seconds
	// +kubebuilder:validation:Optional
	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The maximum lifetime of the generated token
	// +kubebuilder:validation:Optional
	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`

	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	// If true, the 'default' policy will not automatically be added to generated tokens
	// +kubebuilder:validation:Optional
	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`

	// The maximum number
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	// The maximum number of times a token may be used, a value of zero means unlimited
	// +kubebuilder:validation:Optional
	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`

	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	// Generated Token's Period
	// +kubebuilder:validation:Optional
	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`

	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	// Generated Token's Policies
	// +kubebuilder:validation:Optional
	// +listType=set
	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`

	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The initial ttl of the token to generate in seconds
	// +kubebuilder:validation:Optional
	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`

	// The type of token that should be generated. Can be service,
	// batch, or default to use the mount's tuned default (which unless changed will be
	// service tokens). For token store roles, there are two additional possibilities:
	// default-service and default-batch which specify the type to return unless the client
	// requests a different type at generation time.
	// The type of token to generate, service or batch
	// +kubebuilder:validation:Optional
	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`

	// The claim to use to uniquely identify
	// the user; this will be used as the name for the Identity entity alias created
	// due to a successful login.
	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
	// +kubebuilder:validation:Optional
	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`

	// Specifies if the user_claim value uses
	// JSON pointer
	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	// Requires Vault 1.11+.
	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	// +kubebuilder:validation:Optional
	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`

	// Log received OIDC tokens and claims when debug-level
	// logging is active. Not recommended in production since sensitive information may be present
	// in OIDC responses.
	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
	// +kubebuilder:validation:Optional
	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
}

func (*AuthBackendRoleParameters) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleParameters.

func (*AuthBackendRoleParameters) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRoleSpec

type AuthBackendRoleSpec struct {
	v1.ResourceSpec `json:",inline"`
	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
	// THIS IS A BETA FIELD. It will be honored
	// unless the Management Policies feature flag is disabled.
	// InitProvider holds the same fields as ForProvider, with the exception
	// of Identifier and other resource reference fields. The fields that are
	// in InitProvider are merged into ForProvider when the resource is created.
	// The same fields are also added to the terraform ignore_changes hook, to
	// avoid updating them after creation. This is useful for fields that are
	// required on creation, but we do not desire to update them after creation,
	// for example because of an external controller is managing them, like an
	// autoscaler.
	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
}

AuthBackendRoleSpec defines the desired state of AuthBackendRole

func (*AuthBackendRoleSpec) DeepCopy

func (in *AuthBackendRoleSpec) DeepCopy() *AuthBackendRoleSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.

func (*AuthBackendRoleSpec) DeepCopyInto

func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRoleStatus

type AuthBackendRoleStatus struct {
	v1.ResourceStatus `json:",inline"`
	AtProvider        AuthBackendRoleObservation `json:"atProvider,omitempty"`
}

AuthBackendRoleStatus defines the observed state of AuthBackendRole.

func (*AuthBackendRoleStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleStatus.

func (*AuthBackendRoleStatus) DeepCopyInto

func (in *AuthBackendRoleStatus) DeepCopyInto(out *AuthBackendRoleStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL