Documentation ¶
Overview ¶
+kubebuilder:object:generate=true +groupName=jwt.vault.upbound.io +versionName=v1alpha1
Index ¶
- Constants
- Variables
- type AuthBackend
- func (in *AuthBackend) DeepCopy() *AuthBackend
- func (in *AuthBackend) DeepCopyInto(out *AuthBackend)
- func (in *AuthBackend) DeepCopyObject() runtime.Object
- func (mg *AuthBackend) GetCondition(ct xpv1.ConditionType) xpv1.Condition
- func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string
- func (mg *AuthBackend) GetDeletionPolicy() xpv1.DeletionPolicy
- func (tr *AuthBackend) GetID() string
- func (tr *AuthBackend) GetInitParameters() (map[string]any, error)
- func (mg *AuthBackend) GetManagementPolicies() xpv1.ManagementPolicies
- func (tr *AuthBackend) GetObservation() (map[string]any, error)
- func (tr *AuthBackend) GetParameters() (map[string]any, error)
- func (mg *AuthBackend) GetProviderConfigReference() *xpv1.Reference
- func (mg *AuthBackend) GetProviderReference() *xpv1.Reference
- func (mg *AuthBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo
- func (mg *AuthBackend) GetTerraformResourceType() string
- func (tr *AuthBackend) GetTerraformSchemaVersion() int
- func (mg *AuthBackend) GetWriteConnectionSecretToReference() *xpv1.SecretReference
- func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error)
- func (mg *AuthBackend) SetConditions(c ...xpv1.Condition)
- func (mg *AuthBackend) SetDeletionPolicy(r xpv1.DeletionPolicy)
- func (mg *AuthBackend) SetManagementPolicies(r xpv1.ManagementPolicies)
- func (tr *AuthBackend) SetObservation(obs map[string]any) error
- func (tr *AuthBackend) SetParameters(params map[string]any) error
- func (mg *AuthBackend) SetProviderConfigReference(r *xpv1.Reference)
- func (mg *AuthBackend) SetProviderReference(r *xpv1.Reference)
- func (mg *AuthBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)
- func (mg *AuthBackend) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)
- type AuthBackendInitParameters
- type AuthBackendList
- type AuthBackendObservation
- type AuthBackendParameters
- type AuthBackendRole
- func (in *AuthBackendRole) DeepCopy() *AuthBackendRole
- func (in *AuthBackendRole) DeepCopyInto(out *AuthBackendRole)
- func (in *AuthBackendRole) DeepCopyObject() runtime.Object
- func (mg *AuthBackendRole) GetCondition(ct xpv1.ConditionType) xpv1.Condition
- func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string
- func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy
- func (tr *AuthBackendRole) GetID() string
- func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error)
- func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies
- func (tr *AuthBackendRole) GetObservation() (map[string]any, error)
- func (tr *AuthBackendRole) GetParameters() (map[string]any, error)
- func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference
- func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference
- func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo
- func (mg *AuthBackendRole) GetTerraformResourceType() string
- func (tr *AuthBackendRole) GetTerraformSchemaVersion() int
- func (mg *AuthBackendRole) GetWriteConnectionSecretToReference() *xpv1.SecretReference
- func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error)
- func (mg *AuthBackendRole) SetConditions(c ...xpv1.Condition)
- func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy)
- func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies)
- func (tr *AuthBackendRole) SetObservation(obs map[string]any) error
- func (tr *AuthBackendRole) SetParameters(params map[string]any) error
- func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference)
- func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference)
- func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)
- func (mg *AuthBackendRole) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)
- type AuthBackendRoleInitParameters
- type AuthBackendRoleList
- type AuthBackendRoleObservation
- type AuthBackendRoleParameters
- type AuthBackendRoleSpec
- type AuthBackendRoleStatus
- type AuthBackendSpec
- type AuthBackendStatus
- type TuneInitParameters
- type TuneObservation
- type TuneParameters
Constants ¶
const ( CRDGroup = "jwt.vault.upbound.io" CRDVersion = "v1alpha1" )
Package type metadata.
Variables ¶
var ( AuthBackend_Kind = "AuthBackend" AuthBackend_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: AuthBackend_Kind}.String() AuthBackend_KindAPIVersion = AuthBackend_Kind + "." + CRDGroupVersion.String() AuthBackend_GroupVersionKind = CRDGroupVersion.WithKind(AuthBackend_Kind) )
Repository type metadata.
var ( AuthBackendRole_Kind = "AuthBackendRole" AuthBackendRole_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: AuthBackendRole_Kind}.String() AuthBackendRole_KindAPIVersion = AuthBackendRole_Kind + "." + CRDGroupVersion.String() AuthBackendRole_GroupVersionKind = CRDGroupVersion.WithKind(AuthBackendRole_Kind) )
Repository type metadata.
var ( // CRDGroupVersion is the API Group Version used to register the objects CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type AuthBackend ¶
type AuthBackend struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec AuthBackendSpec `json:"spec"` Status AuthBackendStatus `json:"status,omitempty"` }
AuthBackend is the Schema for the AuthBackends API. Managing JWT/OIDC auth backends in Vault +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault}
func (*AuthBackend) DeepCopy ¶
func (in *AuthBackend) DeepCopy() *AuthBackend
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackend.
func (*AuthBackend) DeepCopyInto ¶
func (in *AuthBackend) DeepCopyInto(out *AuthBackend)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AuthBackend) DeepCopyObject ¶
func (in *AuthBackend) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*AuthBackend) GetCondition ¶
func (mg *AuthBackend) GetCondition(ct xpv1.ConditionType) xpv1.Condition
GetCondition of this AuthBackend.
func (*AuthBackend) GetConnectionDetailsMapping ¶
func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string
GetConnectionDetailsMapping for this AuthBackend
func (*AuthBackend) GetDeletionPolicy ¶
func (mg *AuthBackend) GetDeletionPolicy() xpv1.DeletionPolicy
GetDeletionPolicy of this AuthBackend.
func (*AuthBackend) GetID ¶
func (tr *AuthBackend) GetID() string
GetID returns ID of underlying Terraform resource of this AuthBackend
func (*AuthBackend) GetInitParameters ¶ added in v0.2.0
func (tr *AuthBackend) GetInitParameters() (map[string]any, error)
GetInitParameters of this AuthBackend
func (*AuthBackend) GetManagementPolicies ¶ added in v0.2.0
func (mg *AuthBackend) GetManagementPolicies() xpv1.ManagementPolicies
GetManagementPolicies of this AuthBackend.
func (*AuthBackend) GetObservation ¶
func (tr *AuthBackend) GetObservation() (map[string]any, error)
GetObservation of this AuthBackend
func (*AuthBackend) GetParameters ¶
func (tr *AuthBackend) GetParameters() (map[string]any, error)
GetParameters of this AuthBackend
func (*AuthBackend) GetProviderConfigReference ¶
func (mg *AuthBackend) GetProviderConfigReference() *xpv1.Reference
GetProviderConfigReference of this AuthBackend.
func (*AuthBackend) GetProviderReference ¶
func (mg *AuthBackend) GetProviderReference() *xpv1.Reference
GetProviderReference of this AuthBackend. Deprecated: Use GetProviderConfigReference.
func (*AuthBackend) GetPublishConnectionDetailsTo ¶
func (mg *AuthBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo
GetPublishConnectionDetailsTo of this AuthBackend.
func (*AuthBackend) GetTerraformResourceType ¶
func (mg *AuthBackend) GetTerraformResourceType() string
GetTerraformResourceType returns Terraform resource type for this AuthBackend
func (*AuthBackend) GetTerraformSchemaVersion ¶
func (tr *AuthBackend) GetTerraformSchemaVersion() int
GetTerraformSchemaVersion returns the associated Terraform schema version
func (*AuthBackend) GetWriteConnectionSecretToReference ¶
func (mg *AuthBackend) GetWriteConnectionSecretToReference() *xpv1.SecretReference
GetWriteConnectionSecretToReference of this AuthBackend.
func (*AuthBackend) LateInitialize ¶
func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error)
LateInitialize this AuthBackend using its observed tfState. returns True if there are any spec changes for the resource.
func (*AuthBackend) SetConditions ¶
func (mg *AuthBackend) SetConditions(c ...xpv1.Condition)
SetConditions of this AuthBackend.
func (*AuthBackend) SetDeletionPolicy ¶
func (mg *AuthBackend) SetDeletionPolicy(r xpv1.DeletionPolicy)
SetDeletionPolicy of this AuthBackend.
func (*AuthBackend) SetManagementPolicies ¶ added in v0.2.0
func (mg *AuthBackend) SetManagementPolicies(r xpv1.ManagementPolicies)
SetManagementPolicies of this AuthBackend.
func (*AuthBackend) SetObservation ¶
func (tr *AuthBackend) SetObservation(obs map[string]any) error
SetObservation for this AuthBackend
func (*AuthBackend) SetParameters ¶
func (tr *AuthBackend) SetParameters(params map[string]any) error
SetParameters for this AuthBackend
func (*AuthBackend) SetProviderConfigReference ¶
func (mg *AuthBackend) SetProviderConfigReference(r *xpv1.Reference)
SetProviderConfigReference of this AuthBackend.
func (*AuthBackend) SetProviderReference ¶
func (mg *AuthBackend) SetProviderReference(r *xpv1.Reference)
SetProviderReference of this AuthBackend. Deprecated: Use SetProviderConfigReference.
func (*AuthBackend) SetPublishConnectionDetailsTo ¶
func (mg *AuthBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)
SetPublishConnectionDetailsTo of this AuthBackend.
func (*AuthBackend) SetWriteConnectionSecretToReference ¶
func (mg *AuthBackend) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)
SetWriteConnectionSecretToReference of this AuthBackend.
type AuthBackendInitParameters ¶ added in v0.2.0
type AuthBackendInitParameters struct { // The value against which to match the iss claim in a JWT // The value against which to match the iss claim in a JWT BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"` // The default role to use if none is provided during login // The default role to use if none is provided during login DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"` // The description of the auth backend // The description of the auth backend Description *string `json:"description,omitempty" tf:"description,omitempty"` // If set, opts out of mount migration on path updates. // See here for more info on Mount Migration // If set, opts out of mount migration on path updates. DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"` // JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". // JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"` // A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ // A list of supported signing algorithms. Defaults to [RS256] JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"` // A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url // A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"` // Specifies if the auth method is local only. // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs // Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"` // Client ID used for OIDC backends // Client ID used for OIDC OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"` // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"` // The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys // The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"` // The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. // The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"` // List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. // The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"` // Path to mount the JWT/OIDC auth backend // path to mount the backend Path *string `json:"path,omitempty" tf:"path,omitempty"` // Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. // Provider specific handling configuration ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"` Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"` // Type of auth backend. Should be one of jwt or oidc. Default - jwt // Type of backend. Can be either 'jwt' or 'oidc' Type *string `json:"type,omitempty" tf:"type,omitempty"` }
func (*AuthBackendInitParameters) DeepCopy ¶ added in v0.2.0
func (in *AuthBackendInitParameters) DeepCopy() *AuthBackendInitParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendInitParameters.
func (*AuthBackendInitParameters) DeepCopyInto ¶ added in v0.2.0
func (in *AuthBackendInitParameters) DeepCopyInto(out *AuthBackendInitParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendList ¶
type AuthBackendList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []AuthBackend `json:"items"` }
AuthBackendList contains a list of AuthBackends
func (*AuthBackendList) DeepCopy ¶
func (in *AuthBackendList) DeepCopy() *AuthBackendList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendList.
func (*AuthBackendList) DeepCopyInto ¶
func (in *AuthBackendList) DeepCopyInto(out *AuthBackendList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AuthBackendList) DeepCopyObject ¶
func (in *AuthBackendList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*AuthBackendList) GetItems ¶
func (l *AuthBackendList) GetItems() []resource.Managed
GetItems of this AuthBackendList.
type AuthBackendObservation ¶
type AuthBackendObservation struct { // The accessor for this auth method // The accessor of the JWT auth backend Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"` // The value against which to match the iss claim in a JWT // The value against which to match the iss claim in a JWT BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"` // The default role to use if none is provided during login // The default role to use if none is provided during login DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"` // The description of the auth backend // The description of the auth backend Description *string `json:"description,omitempty" tf:"description,omitempty"` // If set, opts out of mount migration on path updates. // See here for more info on Mount Migration // If set, opts out of mount migration on path updates. DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"` // JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". // JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"` // A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ // A list of supported signing algorithms. Defaults to [RS256] JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"` // A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url // A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"` // Specifies if the auth method is local only. // Specifies if the auth method is local only Local *bool `json:"local,omitempty" tf:"local,omitempty"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs // Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"` // Client ID used for OIDC backends // Client ID used for OIDC OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"` // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"` // The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys // The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"` // The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. // The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"` // List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. // The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"` // Path to mount the JWT/OIDC auth backend // path to mount the backend Path *string `json:"path,omitempty" tf:"path,omitempty"` // Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. // Provider specific handling configuration ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"` Tune []TuneObservation `json:"tune,omitempty" tf:"tune,omitempty"` // Type of auth backend. Should be one of jwt or oidc. Default - jwt // Type of backend. Can be either 'jwt' or 'oidc' Type *string `json:"type,omitempty" tf:"type,omitempty"` }
func (*AuthBackendObservation) DeepCopy ¶
func (in *AuthBackendObservation) DeepCopy() *AuthBackendObservation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendObservation.
func (*AuthBackendObservation) DeepCopyInto ¶
func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendParameters ¶
type AuthBackendParameters struct { // The value against which to match the iss claim in a JWT // The value against which to match the iss claim in a JWT // +kubebuilder:validation:Optional BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"` // The default role to use if none is provided during login // The default role to use if none is provided during login // +kubebuilder:validation:Optional DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"` // The description of the auth backend // The description of the auth backend // +kubebuilder:validation:Optional Description *string `json:"description,omitempty" tf:"description,omitempty"` // If set, opts out of mount migration on path updates. // See here for more info on Mount Migration // If set, opts out of mount migration on path updates. // +kubebuilder:validation:Optional DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"` // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. // +kubebuilder:validation:Optional JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"` // JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". // JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. // +kubebuilder:validation:Optional JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"` // A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ // A list of supported signing algorithms. Defaults to [RS256] // +kubebuilder:validation:Optional JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"` // A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url // A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. // +kubebuilder:validation:Optional JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"` // Specifies if the auth method is local only. // Specifies if the auth method is local only // +kubebuilder:validation:Optional Local *bool `json:"local,omitempty" tf:"local,omitempty"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs // Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. // +kubebuilder:validation:Optional NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"` // Client ID used for OIDC backends // Client ID used for OIDC // +kubebuilder:validation:Optional OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"` // Client Secret used for OIDC backends // Client Secret used for OIDC // +kubebuilder:validation:Optional OidcClientSecretSecretRef *v1.SecretKeySelector `json:"oidcClientSecretSecretRef,omitempty" tf:"-"` // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used // The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used // +kubebuilder:validation:Optional OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"` // The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys // The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. // +kubebuilder:validation:Optional OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"` // The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. // The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. // +kubebuilder:validation:Optional OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"` // List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. // The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. // +kubebuilder:validation:Optional OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"` // Path to mount the JWT/OIDC auth backend // path to mount the backend // +kubebuilder:validation:Optional Path *string `json:"path,omitempty" tf:"path,omitempty"` // Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. // Provider specific handling configuration // +kubebuilder:validation:Optional ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"` // +kubebuilder:validation:Optional Tune []TuneParameters `json:"tune,omitempty" tf:"tune,omitempty"` // Type of auth backend. Should be one of jwt or oidc. Default - jwt // Type of backend. Can be either 'jwt' or 'oidc' // +kubebuilder:validation:Optional Type *string `json:"type,omitempty" tf:"type,omitempty"` }
func (*AuthBackendParameters) DeepCopy ¶
func (in *AuthBackendParameters) DeepCopy() *AuthBackendParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendParameters.
func (*AuthBackendParameters) DeepCopyInto ¶
func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendRole ¶
type AuthBackendRole struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter" // +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.userClaim) || has(self.initProvider.userClaim)",message="userClaim is a required parameter" Spec AuthBackendRoleSpec `json:"spec"` Status AuthBackendRoleStatus `json:"status,omitempty"` }
AuthBackendRole is the Schema for the AuthBackendRoles API. Manages JWT/OIDC auth backend roles in Vault. +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault}
func (*AuthBackendRole) DeepCopy ¶
func (in *AuthBackendRole) DeepCopy() *AuthBackendRole
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRole.
func (*AuthBackendRole) DeepCopyInto ¶
func (in *AuthBackendRole) DeepCopyInto(out *AuthBackendRole)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AuthBackendRole) DeepCopyObject ¶
func (in *AuthBackendRole) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*AuthBackendRole) GetCondition ¶
func (mg *AuthBackendRole) GetCondition(ct xpv1.ConditionType) xpv1.Condition
GetCondition of this AuthBackendRole.
func (*AuthBackendRole) GetConnectionDetailsMapping ¶
func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string
GetConnectionDetailsMapping for this AuthBackendRole
func (*AuthBackendRole) GetDeletionPolicy ¶
func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy
GetDeletionPolicy of this AuthBackendRole.
func (*AuthBackendRole) GetID ¶
func (tr *AuthBackendRole) GetID() string
GetID returns ID of underlying Terraform resource of this AuthBackendRole
func (*AuthBackendRole) GetInitParameters ¶ added in v0.2.0
func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error)
GetInitParameters of this AuthBackendRole
func (*AuthBackendRole) GetManagementPolicies ¶ added in v0.2.0
func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies
GetManagementPolicies of this AuthBackendRole.
func (*AuthBackendRole) GetObservation ¶
func (tr *AuthBackendRole) GetObservation() (map[string]any, error)
GetObservation of this AuthBackendRole
func (*AuthBackendRole) GetParameters ¶
func (tr *AuthBackendRole) GetParameters() (map[string]any, error)
GetParameters of this AuthBackendRole
func (*AuthBackendRole) GetProviderConfigReference ¶
func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference
GetProviderConfigReference of this AuthBackendRole.
func (*AuthBackendRole) GetProviderReference ¶
func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference
GetProviderReference of this AuthBackendRole. Deprecated: Use GetProviderConfigReference.
func (*AuthBackendRole) GetPublishConnectionDetailsTo ¶
func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo
GetPublishConnectionDetailsTo of this AuthBackendRole.
func (*AuthBackendRole) GetTerraformResourceType ¶
func (mg *AuthBackendRole) GetTerraformResourceType() string
GetTerraformResourceType returns Terraform resource type for this AuthBackendRole
func (*AuthBackendRole) GetTerraformSchemaVersion ¶
func (tr *AuthBackendRole) GetTerraformSchemaVersion() int
GetTerraformSchemaVersion returns the associated Terraform schema version
func (*AuthBackendRole) GetWriteConnectionSecretToReference ¶
func (mg *AuthBackendRole) GetWriteConnectionSecretToReference() *xpv1.SecretReference
GetWriteConnectionSecretToReference of this AuthBackendRole.
func (*AuthBackendRole) LateInitialize ¶
func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error)
LateInitialize this AuthBackendRole using its observed tfState. returns True if there are any spec changes for the resource.
func (*AuthBackendRole) SetConditions ¶
func (mg *AuthBackendRole) SetConditions(c ...xpv1.Condition)
SetConditions of this AuthBackendRole.
func (*AuthBackendRole) SetDeletionPolicy ¶
func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy)
SetDeletionPolicy of this AuthBackendRole.
func (*AuthBackendRole) SetManagementPolicies ¶ added in v0.2.0
func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies)
SetManagementPolicies of this AuthBackendRole.
func (*AuthBackendRole) SetObservation ¶
func (tr *AuthBackendRole) SetObservation(obs map[string]any) error
SetObservation for this AuthBackendRole
func (*AuthBackendRole) SetParameters ¶
func (tr *AuthBackendRole) SetParameters(params map[string]any) error
SetParameters for this AuthBackendRole
func (*AuthBackendRole) SetProviderConfigReference ¶
func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference)
SetProviderConfigReference of this AuthBackendRole.
func (*AuthBackendRole) SetProviderReference ¶
func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference)
SetProviderReference of this AuthBackendRole. Deprecated: Use SetProviderConfigReference.
func (*AuthBackendRole) SetPublishConnectionDetailsTo ¶
func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)
SetPublishConnectionDetailsTo of this AuthBackendRole.
func (*AuthBackendRole) SetWriteConnectionSecretToReference ¶
func (mg *AuthBackendRole) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)
SetWriteConnectionSecretToReference of this AuthBackendRole.
type AuthBackendRoleInitParameters ¶ added in v0.2.0
type AuthBackendRoleInitParameters struct { // The list of allowed values for redirect_uri during OIDC logins. // Required for OIDC roles // The list of allowed values for redirect_uri during OIDC logins. AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` // The unique name of the auth backend to configure. // Defaults to jwt. // Unique name of the auth backend to configure. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. // Any match is sufficient. // List of aud claims to match against. Any match is sufficient. BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` // If set, a map of claims to values to match against. // A claim's value must be a string, which may contain one value or multiple // comma-separated values, e.g. "red" or "red,green,blue". // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` // How to interpret values in the claims/values // map (bound_claims): can be either string (exact match) or glob (wildcard // match). Requires Vault 1.4.0 or above. // How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"` // If set, requires that the sub claim matches // this value. // If set, requires that the sub claim matches this value. BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"` // If set, a map of claims (keys) to be copied // to specified metadata fields (values). // Map of claims (keys) to be copied to specified metadata fields (values). ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` // The amount of leeway to add to all claims to account for clock skew, in // seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"` // Disable bound claim value parsing. Useful when values contain commas. DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` // The claim to use to uniquely identify // the set of groups to which the user belongs; this will be used as the names // for the Identity group aliases created due to a successful login. The claim // value must be a list of strings. // The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"` // Specifies the allowable elapsed time in seconds since the last time // the user was actively authenticated with the OIDC provider. // Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` // If set, a list of OIDC scopes to be used with an OIDC role. // The standard scope "openid" is automatically included and need not be specified. // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` // The name of the role. // Name of the role. RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` // Type of role, either "oidc" (default) or "jwt". // Type of role, either "oidc" (default) or "jwt" RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"` // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an // explicit max TTL // onto the token in number of seconds. This is a hard cap even if token_ttl and // token_max_ttl would otherwise allow a renewal. // Generated Token's Explicit Maximum TTL in seconds TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. // The maximum lifetime of the generated token TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. // If true, the 'default' policy will not automatically be added to generated tokens TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` // The maximum number // of times a generated token may be used (within its lifetime); 0 means unlimited. // The maximum number of times a token may be used, a value of zero means unlimited TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. // Generated Token's Period TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. // The initial ttl of the token to generate in seconds TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` // The type of token that should be generated. Can be service, // batch, or default to use the mount's tuned default (which unless changed will be // service tokens). For token store roles, there are two additional possibilities: // default-service and default-batch which specify the type to return unless the client // requests a different type at generation time. // The type of token to generate, service or batch TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` // The claim to use to uniquely identify // the user; this will be used as the name for the Identity entity alias created // due to a successful login. // The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"` // Specifies if the user_claim value uses // JSON pointer // syntax for referencing claims. By default, the user_claim value will not use JSON pointer. // Requires Vault 1.11+. // Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"` // Log received OIDC tokens and claims when debug-level // logging is active. Not recommended in production since sensitive information may be present // in OIDC responses. // Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"` }
func (*AuthBackendRoleInitParameters) DeepCopy ¶ added in v0.2.0
func (in *AuthBackendRoleInitParameters) DeepCopy() *AuthBackendRoleInitParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.
func (*AuthBackendRoleInitParameters) DeepCopyInto ¶ added in v0.2.0
func (in *AuthBackendRoleInitParameters) DeepCopyInto(out *AuthBackendRoleInitParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendRoleList ¶
type AuthBackendRoleList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []AuthBackendRole `json:"items"` }
AuthBackendRoleList contains a list of AuthBackendRoles
func (*AuthBackendRoleList) DeepCopy ¶
func (in *AuthBackendRoleList) DeepCopy() *AuthBackendRoleList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleList.
func (*AuthBackendRoleList) DeepCopyInto ¶
func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AuthBackendRoleList) DeepCopyObject ¶
func (in *AuthBackendRoleList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*AuthBackendRoleList) GetItems ¶
func (l *AuthBackendRoleList) GetItems() []resource.Managed
GetItems of this AuthBackendRoleList.
type AuthBackendRoleObservation ¶
type AuthBackendRoleObservation struct { // The list of allowed values for redirect_uri during OIDC logins. // Required for OIDC roles // The list of allowed values for redirect_uri during OIDC logins. AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` // The unique name of the auth backend to configure. // Defaults to jwt. // Unique name of the auth backend to configure. Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. // Any match is sufficient. // List of aud claims to match against. Any match is sufficient. BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` // If set, a map of claims to values to match against. // A claim's value must be a string, which may contain one value or multiple // comma-separated values, e.g. "red" or "red,green,blue". // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` // How to interpret values in the claims/values // map (bound_claims): can be either string (exact match) or glob (wildcard // match). Requires Vault 1.4.0 or above. // How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"` // If set, requires that the sub claim matches // this value. // If set, requires that the sub claim matches this value. BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"` // If set, a map of claims (keys) to be copied // to specified metadata fields (values). // Map of claims (keys) to be copied to specified metadata fields (values). ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` // The amount of leeway to add to all claims to account for clock skew, in // seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"` // Disable bound claim value parsing. Useful when values contain commas. DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` // The claim to use to uniquely identify // the set of groups to which the user belongs; this will be used as the names // for the Identity group aliases created due to a successful login. The claim // value must be a list of strings. // The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"` ID *string `json:"id,omitempty" tf:"id,omitempty"` // Specifies the allowable elapsed time in seconds since the last time // the user was actively authenticated with the OIDC provider. // Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` // If set, a list of OIDC scopes to be used with an OIDC role. // The standard scope "openid" is automatically included and need not be specified. // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` // The name of the role. // Name of the role. RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` // Type of role, either "oidc" (default) or "jwt". // Type of role, either "oidc" (default) or "jwt" RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"` // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an // explicit max TTL // onto the token in number of seconds. This is a hard cap even if token_ttl and // token_max_ttl would otherwise allow a renewal. // Generated Token's Explicit Maximum TTL in seconds TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. // The maximum lifetime of the generated token TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. // If true, the 'default' policy will not automatically be added to generated tokens TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` // The maximum number // of times a generated token may be used (within its lifetime); 0 means unlimited. // The maximum number of times a token may be used, a value of zero means unlimited TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. // Generated Token's Period TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. // The initial ttl of the token to generate in seconds TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` // The type of token that should be generated. Can be service, // batch, or default to use the mount's tuned default (which unless changed will be // service tokens). For token store roles, there are two additional possibilities: // default-service and default-batch which specify the type to return unless the client // requests a different type at generation time. // The type of token to generate, service or batch TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` // The claim to use to uniquely identify // the user; this will be used as the name for the Identity entity alias created // due to a successful login. // The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"` // Specifies if the user_claim value uses // JSON pointer // syntax for referencing claims. By default, the user_claim value will not use JSON pointer. // Requires Vault 1.11+. // Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"` // Log received OIDC tokens and claims when debug-level // logging is active. Not recommended in production since sensitive information may be present // in OIDC responses. // Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"` }
func (*AuthBackendRoleObservation) DeepCopy ¶
func (in *AuthBackendRoleObservation) DeepCopy() *AuthBackendRoleObservation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleObservation.
func (*AuthBackendRoleObservation) DeepCopyInto ¶
func (in *AuthBackendRoleObservation) DeepCopyInto(out *AuthBackendRoleObservation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendRoleParameters ¶
type AuthBackendRoleParameters struct { // The list of allowed values for redirect_uri during OIDC logins. // Required for OIDC roles // The list of allowed values for redirect_uri during OIDC logins. // +kubebuilder:validation:Optional AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"` // The unique name of the auth backend to configure. // Defaults to jwt. // Unique name of the auth backend to configure. // +kubebuilder:validation:Optional Backend *string `json:"backend,omitempty" tf:"backend,omitempty"` // (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims // or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. // Any match is sufficient. // List of aud claims to match against. Any match is sufficient. // +kubebuilder:validation:Optional BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"` // If set, a map of claims to values to match against. // A claim's value must be a string, which may contain one value or multiple // comma-separated values, e.g. "red" or "red,green,blue". // Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. // +kubebuilder:validation:Optional BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"` // How to interpret values in the claims/values // map (bound_claims): can be either string (exact match) or glob (wildcard // match). Requires Vault 1.4.0 or above. // How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). // +kubebuilder:validation:Optional BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"` // If set, requires that the sub claim matches // this value. // If set, requires that the sub claim matches this value. // +kubebuilder:validation:Optional BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"` // If set, a map of claims (keys) to be copied // to specified metadata fields (values). // Map of claims (keys) to be copied to specified metadata fields (values). // +kubebuilder:validation:Optional ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"` // The amount of leeway to add to all claims to account for clock skew, in // seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. // +kubebuilder:validation:Optional ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"` // Disable bound claim value parsing. Useful when values contain commas. // +kubebuilder:validation:Optional DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"` // The amount of leeway to add to expiration (exp) claims to account for // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. // +kubebuilder:validation:Optional ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"` // The claim to use to uniquely identify // the set of groups to which the user belongs; this will be used as the names // for the Identity group aliases created due to a successful login. The claim // value must be a list of strings. // The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. // +kubebuilder:validation:Optional GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"` // Specifies the allowable elapsed time in seconds since the last time // the user was actively authenticated with the OIDC provider. // Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. // +kubebuilder:validation:Optional MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"` // The namespace to provision the resource in. // The value should not contain leading or trailing forward slashes. // The namespace is always relative to the provider's configured namespace. // Available only for Vault Enterprise. // Target namespace. (requires Enterprise) // +kubebuilder:validation:Optional Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"` // The amount of leeway to add to not before (nbf) claims to account for // clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. // Only applicable with "jwt" roles. // The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. // +kubebuilder:validation:Optional NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"` // If set, a list of OIDC scopes to be used with an OIDC role. // The standard scope "openid" is automatically included and need not be specified. // List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. // +kubebuilder:validation:Optional OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"` // The name of the role. // Name of the role. // +kubebuilder:validation:Optional RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"` // Type of role, either "oidc" (default) or "jwt". // Type of role, either "oidc" (default) or "jwt" // +kubebuilder:validation:Optional RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"` // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. // Specifies the blocks of IP addresses which are allowed to use the generated token // +kubebuilder:validation:Optional TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"` // If set, will encode an // explicit max TTL // onto the token in number of seconds. This is a hard cap even if token_ttl and // token_max_ttl would otherwise allow a renewal. // Generated Token's Explicit Maximum TTL in seconds // +kubebuilder:validation:Optional TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"` // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. // The maximum lifetime of the generated token // +kubebuilder:validation:Optional TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"` // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. // If true, the 'default' policy will not automatically be added to generated tokens // +kubebuilder:validation:Optional TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"` // The maximum number // of times a generated token may be used (within its lifetime); 0 means unlimited. // The maximum number of times a token may be used, a value of zero means unlimited // +kubebuilder:validation:Optional TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"` // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. // Generated Token's Period // +kubebuilder:validation:Optional TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"` // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. // Generated Token's Policies // +kubebuilder:validation:Optional TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"` // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. // The initial ttl of the token to generate in seconds // +kubebuilder:validation:Optional TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"` // The type of token that should be generated. Can be service, // batch, or default to use the mount's tuned default (which unless changed will be // service tokens). For token store roles, there are two additional possibilities: // default-service and default-batch which specify the type to return unless the client // requests a different type at generation time. // The type of token to generate, service or batch // +kubebuilder:validation:Optional TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` // The claim to use to uniquely identify // the user; this will be used as the name for the Identity entity alias created // due to a successful login. // The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. // +kubebuilder:validation:Optional UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"` // Specifies if the user_claim value uses // JSON pointer // syntax for referencing claims. By default, the user_claim value will not use JSON pointer. // Requires Vault 1.11+. // Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. // +kubebuilder:validation:Optional UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"` // Log received OIDC tokens and claims when debug-level // logging is active. Not recommended in production since sensitive information may be present // in OIDC responses. // Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. // +kubebuilder:validation:Optional VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"` }
func (*AuthBackendRoleParameters) DeepCopy ¶
func (in *AuthBackendRoleParameters) DeepCopy() *AuthBackendRoleParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleParameters.
func (*AuthBackendRoleParameters) DeepCopyInto ¶
func (in *AuthBackendRoleParameters) DeepCopyInto(out *AuthBackendRoleParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendRoleSpec ¶
type AuthBackendRoleSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendRoleParameters `json:"forProvider"` // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored // unless the relevant Crossplane feature flag is enabled, and may be // changed or removed without notice. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. // The same fields are also added to the terraform ignore_changes hook, to // avoid updating them after creation. This is useful for fields that are // required on creation, but we do not desire to update them after creation, // for example because of an external controller is managing them, like an // autoscaler. InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"` }
AuthBackendRoleSpec defines the desired state of AuthBackendRole
func (*AuthBackendRoleSpec) DeepCopy ¶
func (in *AuthBackendRoleSpec) DeepCopy() *AuthBackendRoleSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.
func (*AuthBackendRoleSpec) DeepCopyInto ¶
func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendRoleStatus ¶
type AuthBackendRoleStatus struct { v1.ResourceStatus `json:",inline"` AtProvider AuthBackendRoleObservation `json:"atProvider,omitempty"` }
AuthBackendRoleStatus defines the observed state of AuthBackendRole.
func (*AuthBackendRoleStatus) DeepCopy ¶
func (in *AuthBackendRoleStatus) DeepCopy() *AuthBackendRoleStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleStatus.
func (*AuthBackendRoleStatus) DeepCopyInto ¶
func (in *AuthBackendRoleStatus) DeepCopyInto(out *AuthBackendRoleStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendSpec ¶
type AuthBackendSpec struct { v1.ResourceSpec `json:",inline"` ForProvider AuthBackendParameters `json:"forProvider"` // THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored // unless the relevant Crossplane feature flag is enabled, and may be // changed or removed without notice. // InitProvider holds the same fields as ForProvider, with the exception // of Identifier and other resource reference fields. The fields that are // in InitProvider are merged into ForProvider when the resource is created. // The same fields are also added to the terraform ignore_changes hook, to // avoid updating them after creation. This is useful for fields that are // required on creation, but we do not desire to update them after creation, // for example because of an external controller is managing them, like an // autoscaler. InitProvider AuthBackendInitParameters `json:"initProvider,omitempty"` }
AuthBackendSpec defines the desired state of AuthBackend
func (*AuthBackendSpec) DeepCopy ¶
func (in *AuthBackendSpec) DeepCopy() *AuthBackendSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendSpec.
func (*AuthBackendSpec) DeepCopyInto ¶
func (in *AuthBackendSpec) DeepCopyInto(out *AuthBackendSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthBackendStatus ¶
type AuthBackendStatus struct { v1.ResourceStatus `json:",inline"` AtProvider AuthBackendObservation `json:"atProvider,omitempty"` }
AuthBackendStatus defines the observed state of AuthBackend.
func (*AuthBackendStatus) DeepCopy ¶
func (in *AuthBackendStatus) DeepCopy() *AuthBackendStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendStatus.
func (*AuthBackendStatus) DeepCopyInto ¶
func (in *AuthBackendStatus) DeepCopyInto(out *AuthBackendStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TuneInitParameters ¶ added in v0.2.0
type TuneInitParameters struct { // List of headers to whitelist and allowing // a plugin to include them in the response. AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"` // Specifies the list of keys that will // not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"` // Specifies the list of keys that will // not be HMAC'd by audit devices in the response data object. AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"` // Specifies the default time-to-live. // If set, this overrides the global default. // Must be a valid duration string DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"` // Specifies whether to show this mount in // the UI-specific listing endpoint. Valid values are "unauth" or "hidden". ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"` // Specifies the maximum time-to-live. // If set, this overrides the global default. // Must be a valid duration string MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"` // List of headers to whitelist and // pass from the request to the backend. PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"` // Specifies the type of tokens that should be returned by // the mount. Valid values are "default-service", "default-batch", "service", "batch". TokenType *string `json:"tokenType,omitempty" tf:"token_type"` }
func (*TuneInitParameters) DeepCopy ¶ added in v0.2.0
func (in *TuneInitParameters) DeepCopy() *TuneInitParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneInitParameters.
func (*TuneInitParameters) DeepCopyInto ¶ added in v0.2.0
func (in *TuneInitParameters) DeepCopyInto(out *TuneInitParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TuneObservation ¶
type TuneObservation struct { // List of headers to whitelist and allowing // a plugin to include them in the response. AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"` // Specifies the list of keys that will // not be HMAC'd by audit devices in the request data object. AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"` // Specifies the list of keys that will // not be HMAC'd by audit devices in the response data object. AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"` // Specifies the default time-to-live. // If set, this overrides the global default. // Must be a valid duration string DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl,omitempty"` // Specifies whether to show this mount in // the UI-specific listing endpoint. Valid values are "unauth" or "hidden". ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"` // Specifies the maximum time-to-live. // If set, this overrides the global default. // Must be a valid duration string MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl,omitempty"` // List of headers to whitelist and // pass from the request to the backend. PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"` // Specifies the type of tokens that should be returned by // the mount. Valid values are "default-service", "default-batch", "service", "batch". TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"` }
func (*TuneObservation) DeepCopy ¶
func (in *TuneObservation) DeepCopy() *TuneObservation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneObservation.
func (*TuneObservation) DeepCopyInto ¶
func (in *TuneObservation) DeepCopyInto(out *TuneObservation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TuneParameters ¶
type TuneParameters struct { // List of headers to whitelist and allowing // a plugin to include them in the response. // +kubebuilder:validation:Optional AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"` // Specifies the list of keys that will // not be HMAC'd by audit devices in the request data object. // +kubebuilder:validation:Optional AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"` // Specifies the list of keys that will // not be HMAC'd by audit devices in the response data object. // +kubebuilder:validation:Optional AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"` // Specifies the default time-to-live. // If set, this overrides the global default. // Must be a valid duration string // +kubebuilder:validation:Optional DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"` // Specifies whether to show this mount in // the UI-specific listing endpoint. Valid values are "unauth" or "hidden". // +kubebuilder:validation:Optional ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"` // Specifies the maximum time-to-live. // If set, this overrides the global default. // Must be a valid duration string // +kubebuilder:validation:Optional MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"` // List of headers to whitelist and // pass from the request to the backend. // +kubebuilder:validation:Optional PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"` // Specifies the type of tokens that should be returned by // the mount. Valid values are "default-service", "default-batch", "service", "batch". // +kubebuilder:validation:Optional TokenType *string `json:"tokenType,omitempty" tf:"token_type"` }
func (*TuneParameters) DeepCopy ¶
func (in *TuneParameters) DeepCopy() *TuneParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneParameters.
func (*TuneParameters) DeepCopyInto ¶
func (in *TuneParameters) DeepCopyInto(out *TuneParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.