v1alpha1

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 14, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

+kubebuilder:object:generate=true +groupName=jwt.vault.upbound.io +versionName=v1alpha1

Index

Constants

View Source
const (
	CRDGroup   = "jwt.vault.upbound.io"
	CRDVersion = "v1alpha1"
)

Package type metadata.

Variables

View Source
var (
	AuthBackend_Kind             = "AuthBackend"
	AuthBackend_GroupKind        = schema.GroupKind{Group: CRDGroup, Kind: AuthBackend_Kind}.String()
	AuthBackend_KindAPIVersion   = AuthBackend_Kind + "." + CRDGroupVersion.String()
	AuthBackend_GroupVersionKind = CRDGroupVersion.WithKind(AuthBackend_Kind)
)

Repository type metadata.

View Source
var (
	AuthBackendRole_Kind             = "AuthBackendRole"
	AuthBackendRole_GroupKind        = schema.GroupKind{Group: CRDGroup, Kind: AuthBackendRole_Kind}.String()
	AuthBackendRole_KindAPIVersion   = AuthBackendRole_Kind + "." + CRDGroupVersion.String()
	AuthBackendRole_GroupVersionKind = CRDGroupVersion.WithKind(AuthBackendRole_Kind)
)

Repository type metadata.

View Source
var (
	// CRDGroupVersion is the API Group Version used to register the objects
	CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type AuthBackend

type AuthBackend struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              AuthBackendSpec   `json:"spec"`
	Status            AuthBackendStatus `json:"status,omitempty"`
}

AuthBackend is the Schema for the AuthBackends API. Managing JWT/OIDC auth backends in Vault +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault}

func (*AuthBackend) DeepCopy

func (in *AuthBackend) DeepCopy() *AuthBackend

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackend.

func (*AuthBackend) DeepCopyInto

func (in *AuthBackend) DeepCopyInto(out *AuthBackend)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthBackend) DeepCopyObject

func (in *AuthBackend) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthBackend) GetCondition

func (mg *AuthBackend) GetCondition(ct xpv1.ConditionType) xpv1.Condition

GetCondition of this AuthBackend.

func (*AuthBackend) GetConnectionDetailsMapping

func (tr *AuthBackend) GetConnectionDetailsMapping() map[string]string

GetConnectionDetailsMapping for this AuthBackend

func (*AuthBackend) GetDeletionPolicy

func (mg *AuthBackend) GetDeletionPolicy() xpv1.DeletionPolicy

GetDeletionPolicy of this AuthBackend.

func (*AuthBackend) GetID

func (tr *AuthBackend) GetID() string

GetID returns ID of underlying Terraform resource of this AuthBackend

func (*AuthBackend) GetInitParameters added in v0.2.0

func (tr *AuthBackend) GetInitParameters() (map[string]any, error)

GetInitParameters of this AuthBackend

func (*AuthBackend) GetManagementPolicies added in v0.2.0

func (mg *AuthBackend) GetManagementPolicies() xpv1.ManagementPolicies

GetManagementPolicies of this AuthBackend.

func (*AuthBackend) GetObservation

func (tr *AuthBackend) GetObservation() (map[string]any, error)

GetObservation of this AuthBackend

func (*AuthBackend) GetParameters

func (tr *AuthBackend) GetParameters() (map[string]any, error)

GetParameters of this AuthBackend

func (*AuthBackend) GetProviderConfigReference

func (mg *AuthBackend) GetProviderConfigReference() *xpv1.Reference

GetProviderConfigReference of this AuthBackend.

func (*AuthBackend) GetProviderReference

func (mg *AuthBackend) GetProviderReference() *xpv1.Reference

GetProviderReference of this AuthBackend. Deprecated: Use GetProviderConfigReference.

func (*AuthBackend) GetPublishConnectionDetailsTo

func (mg *AuthBackend) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo

GetPublishConnectionDetailsTo of this AuthBackend.

func (*AuthBackend) GetTerraformResourceType

func (mg *AuthBackend) GetTerraformResourceType() string

GetTerraformResourceType returns Terraform resource type for this AuthBackend

func (*AuthBackend) GetTerraformSchemaVersion

func (tr *AuthBackend) GetTerraformSchemaVersion() int

GetTerraformSchemaVersion returns the associated Terraform schema version

func (*AuthBackend) GetWriteConnectionSecretToReference

func (mg *AuthBackend) GetWriteConnectionSecretToReference() *xpv1.SecretReference

GetWriteConnectionSecretToReference of this AuthBackend.

func (*AuthBackend) LateInitialize

func (tr *AuthBackend) LateInitialize(attrs []byte) (bool, error)

LateInitialize this AuthBackend using its observed tfState. returns True if there are any spec changes for the resource.

func (*AuthBackend) SetConditions

func (mg *AuthBackend) SetConditions(c ...xpv1.Condition)

SetConditions of this AuthBackend.

func (*AuthBackend) SetDeletionPolicy

func (mg *AuthBackend) SetDeletionPolicy(r xpv1.DeletionPolicy)

SetDeletionPolicy of this AuthBackend.

func (*AuthBackend) SetManagementPolicies added in v0.2.0

func (mg *AuthBackend) SetManagementPolicies(r xpv1.ManagementPolicies)

SetManagementPolicies of this AuthBackend.

func (*AuthBackend) SetObservation

func (tr *AuthBackend) SetObservation(obs map[string]any) error

SetObservation for this AuthBackend

func (*AuthBackend) SetParameters

func (tr *AuthBackend) SetParameters(params map[string]any) error

SetParameters for this AuthBackend

func (*AuthBackend) SetProviderConfigReference

func (mg *AuthBackend) SetProviderConfigReference(r *xpv1.Reference)

SetProviderConfigReference of this AuthBackend.

func (*AuthBackend) SetProviderReference

func (mg *AuthBackend) SetProviderReference(r *xpv1.Reference)

SetProviderReference of this AuthBackend. Deprecated: Use SetProviderConfigReference.

func (*AuthBackend) SetPublishConnectionDetailsTo

func (mg *AuthBackend) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)

SetPublishConnectionDetailsTo of this AuthBackend.

func (*AuthBackend) SetWriteConnectionSecretToReference

func (mg *AuthBackend) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)

SetWriteConnectionSecretToReference of this AuthBackend.

type AuthBackendInitParameters added in v0.2.0

type AuthBackendInitParameters struct {

	// The value against which to match the iss claim in a JWT
	// The value against which to match the iss claim in a JWT
	BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"`

	// The default role to use if none is provided during login
	// The default role to use if none is provided during login
	DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"`

	// The description of the auth backend
	// The description of the auth backend
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// If set, opts out of mount migration on path updates.
	// See here for more info on Mount Migration
	// If set, opts out of mount migration on path updates.
	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`

	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
	JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"`

	// JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
	// JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.
	JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"`

	// A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
	// A list of supported signing algorithms. Defaults to [RS256]
	JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"`

	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
	JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"`

	// Specifies if the auth method is local only.
	// Specifies if the auth method is local only
	Local *bool `json:"local,omitempty" tf:"local,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
	NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"`

	// Client ID used for OIDC backends
	// Client ID used for OIDC
	OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"`

	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
	OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"`

	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
	OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"`

	// The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
	// The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.
	OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"`

	// List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
	// The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.
	OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"`

	// Path to mount the JWT/OIDC auth backend
	// path to mount the backend
	Path *string `json:"path,omitempty" tf:"path,omitempty"`

	// Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
	// Provider specific handling configuration
	ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"`

	Tune []TuneInitParameters `json:"tune,omitempty" tf:"tune,omitempty"`

	// Type of auth backend. Should be one of jwt or oidc. Default - jwt
	// Type of backend. Can be either 'jwt' or 'oidc'
	Type *string `json:"type,omitempty" tf:"type,omitempty"`
}

func (*AuthBackendInitParameters) DeepCopy added in v0.2.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendInitParameters.

func (*AuthBackendInitParameters) DeepCopyInto added in v0.2.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendList

type AuthBackendList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AuthBackend `json:"items"`
}

AuthBackendList contains a list of AuthBackends

func (*AuthBackendList) DeepCopy

func (in *AuthBackendList) DeepCopy() *AuthBackendList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendList.

func (*AuthBackendList) DeepCopyInto

func (in *AuthBackendList) DeepCopyInto(out *AuthBackendList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthBackendList) DeepCopyObject

func (in *AuthBackendList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthBackendList) GetItems

func (l *AuthBackendList) GetItems() []resource.Managed

GetItems of this AuthBackendList.

type AuthBackendObservation

type AuthBackendObservation struct {

	// The accessor for this auth method
	// The accessor of the JWT auth backend
	Accessor *string `json:"accessor,omitempty" tf:"accessor,omitempty"`

	// The value against which to match the iss claim in a JWT
	// The value against which to match the iss claim in a JWT
	BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"`

	// The default role to use if none is provided during login
	// The default role to use if none is provided during login
	DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"`

	// The description of the auth backend
	// The description of the auth backend
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// If set, opts out of mount migration on path updates.
	// See here for more info on Mount Migration
	// If set, opts out of mount migration on path updates.
	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`

	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
	JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"`

	// JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
	// JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.
	JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"`

	// A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
	// A list of supported signing algorithms. Defaults to [RS256]
	JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"`

	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
	JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"`

	// Specifies if the auth method is local only.
	// Specifies if the auth method is local only
	Local *bool `json:"local,omitempty" tf:"local,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
	NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"`

	// Client ID used for OIDC backends
	// Client ID used for OIDC
	OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"`

	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
	OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"`

	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
	OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"`

	// The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
	// The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.
	OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"`

	// List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
	// The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.
	OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"`

	// Path to mount the JWT/OIDC auth backend
	// path to mount the backend
	Path *string `json:"path,omitempty" tf:"path,omitempty"`

	// Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
	// Provider specific handling configuration
	ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"`

	Tune []TuneObservation `json:"tune,omitempty" tf:"tune,omitempty"`

	// Type of auth backend. Should be one of jwt or oidc. Default - jwt
	// Type of backend. Can be either 'jwt' or 'oidc'
	Type *string `json:"type,omitempty" tf:"type,omitempty"`
}

func (*AuthBackendObservation) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendObservation.

func (*AuthBackendObservation) DeepCopyInto

func (in *AuthBackendObservation) DeepCopyInto(out *AuthBackendObservation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendParameters

type AuthBackendParameters struct {

	// The value against which to match the iss claim in a JWT
	// The value against which to match the iss claim in a JWT
	// +kubebuilder:validation:Optional
	BoundIssuer *string `json:"boundIssuer,omitempty" tf:"bound_issuer,omitempty"`

	// The default role to use if none is provided during login
	// The default role to use if none is provided during login
	// +kubebuilder:validation:Optional
	DefaultRole *string `json:"defaultRole,omitempty" tf:"default_role,omitempty"`

	// The description of the auth backend
	// The description of the auth backend
	// +kubebuilder:validation:Optional
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// If set, opts out of mount migration on path updates.
	// See here for more info on Mount Migration
	// If set, opts out of mount migration on path updates.
	// +kubebuilder:validation:Optional
	DisableRemount *bool `json:"disableRemount,omitempty" tf:"disable_remount,omitempty"`

	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
	// +kubebuilder:validation:Optional
	JwksCAPem *string `json:"jwksCaPem,omitempty" tf:"jwks_ca_pem,omitempty"`

	// JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
	// JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'.
	// +kubebuilder:validation:Optional
	JwksURL *string `json:"jwksUrl,omitempty" tf:"jwks_url,omitempty"`

	// A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
	// A list of supported signing algorithms. Defaults to [RS256]
	// +kubebuilder:validation:Optional
	JwtSupportedAlgs []*string `json:"jwtSupportedAlgs,omitempty" tf:"jwt_supported_algs,omitempty"`

	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
	// A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'.
	// +kubebuilder:validation:Optional
	JwtValidationPubkeys []*string `json:"jwtValidationPubkeys,omitempty" tf:"jwt_validation_pubkeys,omitempty"`

	// Specifies if the auth method is local only.
	// Specifies if the auth method is local only
	// +kubebuilder:validation:Optional
	Local *bool `json:"local,omitempty" tf:"local,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	// +kubebuilder:validation:Optional
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
	// Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
	// +kubebuilder:validation:Optional
	NamespaceInState *bool `json:"namespaceInState,omitempty" tf:"namespace_in_state,omitempty"`

	// Client ID used for OIDC backends
	// Client ID used for OIDC
	// +kubebuilder:validation:Optional
	OidcClientID *string `json:"oidcClientId,omitempty" tf:"oidc_client_id,omitempty"`

	// Client Secret used for OIDC backends
	// Client Secret used for OIDC
	// +kubebuilder:validation:Optional
	OidcClientSecretSecretRef *v1.SecretKeySelector `json:"oidcClientSecretSecretRef,omitempty" tf:"-"`

	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
	// The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
	// +kubebuilder:validation:Optional
	OidcDiscoveryCAPem *string `json:"oidcDiscoveryCaPem,omitempty" tf:"oidc_discovery_ca_pem,omitempty"`

	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
	// The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'.
	// +kubebuilder:validation:Optional
	OidcDiscoveryURL *string `json:"oidcDiscoveryUrl,omitempty" tf:"oidc_discovery_url,omitempty"`

	// The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
	// The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false.
	// +kubebuilder:validation:Optional
	OidcResponseMode *string `json:"oidcResponseMode,omitempty" tf:"oidc_response_mode,omitempty"`

	// List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
	// The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'.
	// +kubebuilder:validation:Optional
	OidcResponseTypes []*string `json:"oidcResponseTypes,omitempty" tf:"oidc_response_types,omitempty"`

	// Path to mount the JWT/OIDC auth backend
	// path to mount the backend
	// +kubebuilder:validation:Optional
	Path *string `json:"path,omitempty" tf:"path,omitempty"`

	// Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
	// Provider specific handling configuration
	// +kubebuilder:validation:Optional
	ProviderConfig map[string]*string `json:"providerConfig,omitempty" tf:"provider_config,omitempty"`

	// +kubebuilder:validation:Optional
	Tune []TuneParameters `json:"tune,omitempty" tf:"tune,omitempty"`

	// Type of auth backend. Should be one of jwt or oidc. Default - jwt
	// Type of backend. Can be either 'jwt' or 'oidc'
	// +kubebuilder:validation:Optional
	Type *string `json:"type,omitempty" tf:"type,omitempty"`
}

func (*AuthBackendParameters) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendParameters.

func (*AuthBackendParameters) DeepCopyInto

func (in *AuthBackendParameters) DeepCopyInto(out *AuthBackendParameters)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRole

type AuthBackendRole struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.roleName) || has(self.initProvider.roleName)",message="roleName is a required parameter"
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.userClaim) || has(self.initProvider.userClaim)",message="userClaim is a required parameter"
	Spec   AuthBackendRoleSpec   `json:"spec"`
	Status AuthBackendRoleStatus `json:"status,omitempty"`
}

AuthBackendRole is the Schema for the AuthBackendRoles API. Manages JWT/OIDC auth backend roles in Vault. +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,vault}

func (*AuthBackendRole) DeepCopy

func (in *AuthBackendRole) DeepCopy() *AuthBackendRole

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRole.

func (*AuthBackendRole) DeepCopyInto

func (in *AuthBackendRole) DeepCopyInto(out *AuthBackendRole)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthBackendRole) DeepCopyObject

func (in *AuthBackendRole) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthBackendRole) GetCondition

func (mg *AuthBackendRole) GetCondition(ct xpv1.ConditionType) xpv1.Condition

GetCondition of this AuthBackendRole.

func (*AuthBackendRole) GetConnectionDetailsMapping

func (tr *AuthBackendRole) GetConnectionDetailsMapping() map[string]string

GetConnectionDetailsMapping for this AuthBackendRole

func (*AuthBackendRole) GetDeletionPolicy

func (mg *AuthBackendRole) GetDeletionPolicy() xpv1.DeletionPolicy

GetDeletionPolicy of this AuthBackendRole.

func (*AuthBackendRole) GetID

func (tr *AuthBackendRole) GetID() string

GetID returns ID of underlying Terraform resource of this AuthBackendRole

func (*AuthBackendRole) GetInitParameters added in v0.2.0

func (tr *AuthBackendRole) GetInitParameters() (map[string]any, error)

GetInitParameters of this AuthBackendRole

func (*AuthBackendRole) GetManagementPolicies added in v0.2.0

func (mg *AuthBackendRole) GetManagementPolicies() xpv1.ManagementPolicies

GetManagementPolicies of this AuthBackendRole.

func (*AuthBackendRole) GetObservation

func (tr *AuthBackendRole) GetObservation() (map[string]any, error)

GetObservation of this AuthBackendRole

func (*AuthBackendRole) GetParameters

func (tr *AuthBackendRole) GetParameters() (map[string]any, error)

GetParameters of this AuthBackendRole

func (*AuthBackendRole) GetProviderConfigReference

func (mg *AuthBackendRole) GetProviderConfigReference() *xpv1.Reference

GetProviderConfigReference of this AuthBackendRole.

func (*AuthBackendRole) GetProviderReference

func (mg *AuthBackendRole) GetProviderReference() *xpv1.Reference

GetProviderReference of this AuthBackendRole. Deprecated: Use GetProviderConfigReference.

func (*AuthBackendRole) GetPublishConnectionDetailsTo

func (mg *AuthBackendRole) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo

GetPublishConnectionDetailsTo of this AuthBackendRole.

func (*AuthBackendRole) GetTerraformResourceType

func (mg *AuthBackendRole) GetTerraformResourceType() string

GetTerraformResourceType returns Terraform resource type for this AuthBackendRole

func (*AuthBackendRole) GetTerraformSchemaVersion

func (tr *AuthBackendRole) GetTerraformSchemaVersion() int

GetTerraformSchemaVersion returns the associated Terraform schema version

func (*AuthBackendRole) GetWriteConnectionSecretToReference

func (mg *AuthBackendRole) GetWriteConnectionSecretToReference() *xpv1.SecretReference

GetWriteConnectionSecretToReference of this AuthBackendRole.

func (*AuthBackendRole) LateInitialize

func (tr *AuthBackendRole) LateInitialize(attrs []byte) (bool, error)

LateInitialize this AuthBackendRole using its observed tfState. returns True if there are any spec changes for the resource.

func (*AuthBackendRole) SetConditions

func (mg *AuthBackendRole) SetConditions(c ...xpv1.Condition)

SetConditions of this AuthBackendRole.

func (*AuthBackendRole) SetDeletionPolicy

func (mg *AuthBackendRole) SetDeletionPolicy(r xpv1.DeletionPolicy)

SetDeletionPolicy of this AuthBackendRole.

func (*AuthBackendRole) SetManagementPolicies added in v0.2.0

func (mg *AuthBackendRole) SetManagementPolicies(r xpv1.ManagementPolicies)

SetManagementPolicies of this AuthBackendRole.

func (*AuthBackendRole) SetObservation

func (tr *AuthBackendRole) SetObservation(obs map[string]any) error

SetObservation for this AuthBackendRole

func (*AuthBackendRole) SetParameters

func (tr *AuthBackendRole) SetParameters(params map[string]any) error

SetParameters for this AuthBackendRole

func (*AuthBackendRole) SetProviderConfigReference

func (mg *AuthBackendRole) SetProviderConfigReference(r *xpv1.Reference)

SetProviderConfigReference of this AuthBackendRole.

func (*AuthBackendRole) SetProviderReference

func (mg *AuthBackendRole) SetProviderReference(r *xpv1.Reference)

SetProviderReference of this AuthBackendRole. Deprecated: Use SetProviderConfigReference.

func (*AuthBackendRole) SetPublishConnectionDetailsTo

func (mg *AuthBackendRole) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)

SetPublishConnectionDetailsTo of this AuthBackendRole.

func (*AuthBackendRole) SetWriteConnectionSecretToReference

func (mg *AuthBackendRole) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)

SetWriteConnectionSecretToReference of this AuthBackendRole.

type AuthBackendRoleInitParameters added in v0.2.0

type AuthBackendRoleInitParameters struct {

	// The list of allowed values for redirect_uri during OIDC logins.
	// Required for OIDC roles
	// The list of allowed values for redirect_uri during OIDC logins.
	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`

	// The unique name of the auth backend to configure.
	// Defaults to jwt.
	// Unique name of the auth backend to configure.
	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`

	// (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims
	// or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against.
	// Any match is sufficient.
	// List of aud claims to match against. Any match is sufficient.
	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`

	// If set, a map of claims to values to match against.
	// A claim's value must be a string, which may contain one value or multiple
	// comma-separated values, e.g. "red" or "red,green,blue".
	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`

	// How to interpret values in the claims/values
	// map (bound_claims): can be either string (exact match) or glob (wildcard
	// match). Requires Vault 1.4.0 or above.
	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`

	// If set, requires that the sub claim matches
	// this value.
	// If set, requires that the sub claim matches this value.
	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`

	// If set, a map of claims (keys) to be copied
	// to specified metadata fields (values).
	// Map of claims (keys) to be copied to specified metadata fields (values).
	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`

	// The amount of leeway to add to all claims to account for clock skew, in
	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`

	// Disable bound claim value parsing. Useful when values contain commas.
	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`

	// The amount of leeway to add to expiration (exp) claims to account for
	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`

	// The claim to use to uniquely identify
	// the set of groups to which the user belongs; this will be used as the names
	// for the Identity group aliases created due to a successful login. The claim
	// value must be a list of strings.
	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`

	// Specifies the allowable elapsed time in seconds since the last time
	// the user was actively authenticated with the OIDC provider.
	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// The amount of leeway to add to not before (nbf) claims to account for
	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`

	// If set, a list of OIDC scopes to be used with an OIDC role.
	// The standard scope "openid" is automatically included and need not be specified.
	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`

	// The name of the role.
	// Name of the role.
	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`

	// Type of role, either "oidc" (default) or "jwt".
	// Type of role, either "oidc" (default) or "jwt"
	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`

	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`

	// If set, will encode an
	// explicit max TTL
	// onto the token in number of seconds. This is a hard cap even if token_ttl and
	// token_max_ttl would otherwise allow a renewal.
	// Generated Token's Explicit Maximum TTL in seconds
	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The maximum lifetime of the generated token
	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`

	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`

	// The maximum number
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`

	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	// Generated Token's Period
	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`

	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	// Generated Token's Policies
	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`

	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The initial ttl of the token to generate in seconds
	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`

	// The type of token that should be generated. Can be service,
	// batch, or default to use the mount's tuned default (which unless changed will be
	// service tokens). For token store roles, there are two additional possibilities:
	// default-service and default-batch which specify the type to return unless the client
	// requests a different type at generation time.
	// The type of token to generate, service or batch
	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`

	// The claim to use to uniquely identify
	// the user; this will be used as the name for the Identity entity alias created
	// due to a successful login.
	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`

	// Specifies if the user_claim value uses
	// JSON pointer
	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	// Requires Vault 1.11+.
	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`

	// Log received OIDC tokens and claims when debug-level
	// logging is active. Not recommended in production since sensitive information may be present
	// in OIDC responses.
	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
}

func (*AuthBackendRoleInitParameters) DeepCopy added in v0.2.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleInitParameters.

func (*AuthBackendRoleInitParameters) DeepCopyInto added in v0.2.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRoleList

type AuthBackendRoleList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AuthBackendRole `json:"items"`
}

AuthBackendRoleList contains a list of AuthBackendRoles

func (*AuthBackendRoleList) DeepCopy

func (in *AuthBackendRoleList) DeepCopy() *AuthBackendRoleList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleList.

func (*AuthBackendRoleList) DeepCopyInto

func (in *AuthBackendRoleList) DeepCopyInto(out *AuthBackendRoleList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AuthBackendRoleList) DeepCopyObject

func (in *AuthBackendRoleList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*AuthBackendRoleList) GetItems

func (l *AuthBackendRoleList) GetItems() []resource.Managed

GetItems of this AuthBackendRoleList.

type AuthBackendRoleObservation

type AuthBackendRoleObservation struct {

	// The list of allowed values for redirect_uri during OIDC logins.
	// Required for OIDC roles
	// The list of allowed values for redirect_uri during OIDC logins.
	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`

	// The unique name of the auth backend to configure.
	// Defaults to jwt.
	// Unique name of the auth backend to configure.
	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`

	// (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims
	// or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against.
	// Any match is sufficient.
	// List of aud claims to match against. Any match is sufficient.
	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`

	// If set, a map of claims to values to match against.
	// A claim's value must be a string, which may contain one value or multiple
	// comma-separated values, e.g. "red" or "red,green,blue".
	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`

	// How to interpret values in the claims/values
	// map (bound_claims): can be either string (exact match) or glob (wildcard
	// match). Requires Vault 1.4.0 or above.
	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`

	// If set, requires that the sub claim matches
	// this value.
	// If set, requires that the sub claim matches this value.
	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`

	// If set, a map of claims (keys) to be copied
	// to specified metadata fields (values).
	// Map of claims (keys) to be copied to specified metadata fields (values).
	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`

	// The amount of leeway to add to all claims to account for clock skew, in
	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`

	// Disable bound claim value parsing. Useful when values contain commas.
	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`

	// The amount of leeway to add to expiration (exp) claims to account for
	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`

	// The claim to use to uniquely identify
	// the set of groups to which the user belongs; this will be used as the names
	// for the Identity group aliases created due to a successful login. The claim
	// value must be a list of strings.
	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`

	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// Specifies the allowable elapsed time in seconds since the last time
	// the user was actively authenticated with the OIDC provider.
	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// The amount of leeway to add to not before (nbf) claims to account for
	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`

	// If set, a list of OIDC scopes to be used with an OIDC role.
	// The standard scope "openid" is automatically included and need not be specified.
	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`

	// The name of the role.
	// Name of the role.
	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`

	// Type of role, either "oidc" (default) or "jwt".
	// Type of role, either "oidc" (default) or "jwt"
	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`

	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`

	// If set, will encode an
	// explicit max TTL
	// onto the token in number of seconds. This is a hard cap even if token_ttl and
	// token_max_ttl would otherwise allow a renewal.
	// Generated Token's Explicit Maximum TTL in seconds
	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The maximum lifetime of the generated token
	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`

	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`

	// The maximum number
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`

	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	// Generated Token's Period
	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`

	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	// Generated Token's Policies
	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`

	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The initial ttl of the token to generate in seconds
	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`

	// The type of token that should be generated. Can be service,
	// batch, or default to use the mount's tuned default (which unless changed will be
	// service tokens). For token store roles, there are two additional possibilities:
	// default-service and default-batch which specify the type to return unless the client
	// requests a different type at generation time.
	// The type of token to generate, service or batch
	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`

	// The claim to use to uniquely identify
	// the user; this will be used as the name for the Identity entity alias created
	// due to a successful login.
	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`

	// Specifies if the user_claim value uses
	// JSON pointer
	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	// Requires Vault 1.11+.
	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`

	// Log received OIDC tokens and claims when debug-level
	// logging is active. Not recommended in production since sensitive information may be present
	// in OIDC responses.
	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
}

func (*AuthBackendRoleObservation) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleObservation.

func (*AuthBackendRoleObservation) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRoleParameters

type AuthBackendRoleParameters struct {

	// The list of allowed values for redirect_uri during OIDC logins.
	// Required for OIDC roles
	// The list of allowed values for redirect_uri during OIDC logins.
	// +kubebuilder:validation:Optional
	AllowedRedirectUris []*string `json:"allowedRedirectUris,omitempty" tf:"allowed_redirect_uris,omitempty"`

	// The unique name of the auth backend to configure.
	// Defaults to jwt.
	// Unique name of the auth backend to configure.
	// +kubebuilder:validation:Optional
	Backend *string `json:"backend,omitempty" tf:"backend,omitempty"`

	// (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims
	// or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against.
	// Any match is sufficient.
	// List of aud claims to match against. Any match is sufficient.
	// +kubebuilder:validation:Optional
	BoundAudiences []*string `json:"boundAudiences,omitempty" tf:"bound_audiences,omitempty"`

	// If set, a map of claims to values to match against.
	// A claim's value must be a string, which may contain one value or multiple
	// comma-separated values, e.g. "red" or "red,green,blue".
	// Map of claims/values to match against. The expected value may be a single string or a comma-separated string list.
	// +kubebuilder:validation:Optional
	BoundClaims map[string]*string `json:"boundClaims,omitempty" tf:"bound_claims,omitempty"`

	// How to interpret values in the claims/values
	// map (bound_claims): can be either string (exact match) or glob (wildcard
	// match). Requires Vault 1.4.0 or above.
	// How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match).
	// +kubebuilder:validation:Optional
	BoundClaimsType *string `json:"boundClaimsType,omitempty" tf:"bound_claims_type,omitempty"`

	// If set, requires that the sub claim matches
	// this value.
	// If set, requires that the sub claim matches this value.
	// +kubebuilder:validation:Optional
	BoundSubject *string `json:"boundSubject,omitempty" tf:"bound_subject,omitempty"`

	// If set, a map of claims (keys) to be copied
	// to specified metadata fields (values).
	// Map of claims (keys) to be copied to specified metadata fields (values).
	// +kubebuilder:validation:Optional
	ClaimMappings map[string]*string `json:"claimMappings,omitempty" tf:"claim_mappings,omitempty"`

	// The amount of leeway to add to all claims to account for clock skew, in
	// seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	// +kubebuilder:validation:Optional
	ClockSkewLeeway *float64 `json:"clockSkewLeeway,omitempty" tf:"clock_skew_leeway,omitempty"`

	// Disable bound claim value parsing. Useful when values contain commas.
	// +kubebuilder:validation:Optional
	DisableBoundClaimsParsing *bool `json:"disableBoundClaimsParsing,omitempty" tf:"disable_bound_claims_parsing,omitempty"`

	// The amount of leeway to add to expiration (exp) claims to account for
	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	// +kubebuilder:validation:Optional
	ExpirationLeeway *float64 `json:"expirationLeeway,omitempty" tf:"expiration_leeway,omitempty"`

	// The claim to use to uniquely identify
	// the set of groups to which the user belongs; this will be used as the names
	// for the Identity group aliases created due to a successful login. The claim
	// value must be a list of strings.
	// The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
	// +kubebuilder:validation:Optional
	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`

	// Specifies the allowable elapsed time in seconds since the last time
	// the user was actively authenticated with the OIDC provider.
	// Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.
	// +kubebuilder:validation:Optional
	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`

	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The namespace is always relative to the provider's configured namespace.
	// Available only for Vault Enterprise.
	// Target namespace. (requires Enterprise)
	// +kubebuilder:validation:Optional
	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`

	// The amount of leeway to add to not before (nbf) claims to account for
	// clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1.
	// Only applicable with "jwt" roles.
	// The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles.
	// +kubebuilder:validation:Optional
	NotBeforeLeeway *float64 `json:"notBeforeLeeway,omitempty" tf:"not_before_leeway,omitempty"`

	// If set, a list of OIDC scopes to be used with an OIDC role.
	// The standard scope "openid" is automatically included and need not be specified.
	// List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
	// +kubebuilder:validation:Optional
	OidcScopes []*string `json:"oidcScopes,omitempty" tf:"oidc_scopes,omitempty"`

	// The name of the role.
	// Name of the role.
	// +kubebuilder:validation:Optional
	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`

	// Type of role, either "oidc" (default) or "jwt".
	// Type of role, either "oidc" (default) or "jwt"
	// +kubebuilder:validation:Optional
	RoleType *string `json:"roleType,omitempty" tf:"role_type,omitempty"`

	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	// +kubebuilder:validation:Optional
	TokenBoundCidrs []*string `json:"tokenBoundCidrs,omitempty" tf:"token_bound_cidrs,omitempty"`

	// If set, will encode an
	// explicit max TTL
	// onto the token in number of seconds. This is a hard cap even if token_ttl and
	// token_max_ttl would otherwise allow a renewal.
	// Generated Token's Explicit Maximum TTL in seconds
	// +kubebuilder:validation:Optional
	TokenExplicitMaxTTL *float64 `json:"tokenExplicitMaxTtl,omitempty" tf:"token_explicit_max_ttl,omitempty"`

	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The maximum lifetime of the generated token
	// +kubebuilder:validation:Optional
	TokenMaxTTL *float64 `json:"tokenMaxTtl,omitempty" tf:"token_max_ttl,omitempty"`

	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	// If true, the 'default' policy will not automatically be added to generated tokens
	// +kubebuilder:validation:Optional
	TokenNoDefaultPolicy *bool `json:"tokenNoDefaultPolicy,omitempty" tf:"token_no_default_policy,omitempty"`

	// The maximum number
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	// The maximum number of times a token may be used, a value of zero means unlimited
	// +kubebuilder:validation:Optional
	TokenNumUses *float64 `json:"tokenNumUses,omitempty" tf:"token_num_uses,omitempty"`

	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	// Generated Token's Period
	// +kubebuilder:validation:Optional
	TokenPeriod *float64 `json:"tokenPeriod,omitempty" tf:"token_period,omitempty"`

	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	// Generated Token's Policies
	// +kubebuilder:validation:Optional
	TokenPolicies []*string `json:"tokenPolicies,omitempty" tf:"token_policies,omitempty"`

	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	// The initial ttl of the token to generate in seconds
	// +kubebuilder:validation:Optional
	TokenTTL *float64 `json:"tokenTtl,omitempty" tf:"token_ttl,omitempty"`

	// The type of token that should be generated. Can be service,
	// batch, or default to use the mount's tuned default (which unless changed will be
	// service tokens). For token store roles, there are two additional possibilities:
	// default-service and default-batch which specify the type to return unless the client
	// requests a different type at generation time.
	// The type of token to generate, service or batch
	// +kubebuilder:validation:Optional
	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`

	// The claim to use to uniquely identify
	// the user; this will be used as the name for the Identity entity alias created
	// due to a successful login.
	// The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
	// +kubebuilder:validation:Optional
	UserClaim *string `json:"userClaim,omitempty" tf:"user_claim,omitempty"`

	// Specifies if the user_claim value uses
	// JSON pointer
	// syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	// Requires Vault 1.11+.
	// Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.
	// +kubebuilder:validation:Optional
	UserClaimJSONPointer *bool `json:"userClaimJsonPointer,omitempty" tf:"user_claim_json_pointer,omitempty"`

	// Log received OIDC tokens and claims when debug-level
	// logging is active. Not recommended in production since sensitive information may be present
	// in OIDC responses.
	// Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.
	// +kubebuilder:validation:Optional
	VerboseOidcLogging *bool `json:"verboseOidcLogging,omitempty" tf:"verbose_oidc_logging,omitempty"`
}

func (*AuthBackendRoleParameters) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleParameters.

func (*AuthBackendRoleParameters) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRoleSpec

type AuthBackendRoleSpec struct {
	v1.ResourceSpec `json:",inline"`
	ForProvider     AuthBackendRoleParameters `json:"forProvider"`
	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
	// unless the relevant Crossplane feature flag is enabled, and may be
	// changed or removed without notice.
	// InitProvider holds the same fields as ForProvider, with the exception
	// of Identifier and other resource reference fields. The fields that are
	// in InitProvider are merged into ForProvider when the resource is created.
	// The same fields are also added to the terraform ignore_changes hook, to
	// avoid updating them after creation. This is useful for fields that are
	// required on creation, but we do not desire to update them after creation,
	// for example because of an external controller is managing them, like an
	// autoscaler.
	InitProvider AuthBackendRoleInitParameters `json:"initProvider,omitempty"`
}

AuthBackendRoleSpec defines the desired state of AuthBackendRole

func (*AuthBackendRoleSpec) DeepCopy

func (in *AuthBackendRoleSpec) DeepCopy() *AuthBackendRoleSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleSpec.

func (*AuthBackendRoleSpec) DeepCopyInto

func (in *AuthBackendRoleSpec) DeepCopyInto(out *AuthBackendRoleSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendRoleStatus

type AuthBackendRoleStatus struct {
	v1.ResourceStatus `json:",inline"`
	AtProvider        AuthBackendRoleObservation `json:"atProvider,omitempty"`
}

AuthBackendRoleStatus defines the observed state of AuthBackendRole.

func (*AuthBackendRoleStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendRoleStatus.

func (*AuthBackendRoleStatus) DeepCopyInto

func (in *AuthBackendRoleStatus) DeepCopyInto(out *AuthBackendRoleStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendSpec

type AuthBackendSpec struct {
	v1.ResourceSpec `json:",inline"`
	ForProvider     AuthBackendParameters `json:"forProvider"`
	// THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored
	// unless the relevant Crossplane feature flag is enabled, and may be
	// changed or removed without notice.
	// InitProvider holds the same fields as ForProvider, with the exception
	// of Identifier and other resource reference fields. The fields that are
	// in InitProvider are merged into ForProvider when the resource is created.
	// The same fields are also added to the terraform ignore_changes hook, to
	// avoid updating them after creation. This is useful for fields that are
	// required on creation, but we do not desire to update them after creation,
	// for example because of an external controller is managing them, like an
	// autoscaler.
	InitProvider AuthBackendInitParameters `json:"initProvider,omitempty"`
}

AuthBackendSpec defines the desired state of AuthBackend

func (*AuthBackendSpec) DeepCopy

func (in *AuthBackendSpec) DeepCopy() *AuthBackendSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendSpec.

func (*AuthBackendSpec) DeepCopyInto

func (in *AuthBackendSpec) DeepCopyInto(out *AuthBackendSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AuthBackendStatus

type AuthBackendStatus struct {
	v1.ResourceStatus `json:",inline"`
	AtProvider        AuthBackendObservation `json:"atProvider,omitempty"`
}

AuthBackendStatus defines the observed state of AuthBackend.

func (*AuthBackendStatus) DeepCopy

func (in *AuthBackendStatus) DeepCopy() *AuthBackendStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthBackendStatus.

func (*AuthBackendStatus) DeepCopyInto

func (in *AuthBackendStatus) DeepCopyInto(out *AuthBackendStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TuneInitParameters added in v0.2.0

type TuneInitParameters struct {

	// List of headers to whitelist and allowing
	// a plugin to include them in the response.
	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"`

	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the request data object.
	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"`

	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the response data object.
	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"`

	// Specifies the default time-to-live.
	// If set, this overrides the global default.
	// Must be a valid duration string
	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"`

	// Specifies whether to show this mount in
	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"`

	// Specifies the maximum time-to-live.
	// If set, this overrides the global default.
	// Must be a valid duration string
	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"`

	// List of headers to whitelist and
	// pass from the request to the backend.
	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"`

	// Specifies the type of tokens that should be returned by
	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
	TokenType *string `json:"tokenType,omitempty" tf:"token_type"`
}

func (*TuneInitParameters) DeepCopy added in v0.2.0

func (in *TuneInitParameters) DeepCopy() *TuneInitParameters

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneInitParameters.

func (*TuneInitParameters) DeepCopyInto added in v0.2.0

func (in *TuneInitParameters) DeepCopyInto(out *TuneInitParameters)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TuneObservation

type TuneObservation struct {

	// List of headers to whitelist and allowing
	// a plugin to include them in the response.
	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers,omitempty"`

	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the request data object.
	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys,omitempty"`

	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the response data object.
	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys,omitempty"`

	// Specifies the default time-to-live.
	// If set, this overrides the global default.
	// Must be a valid duration string
	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl,omitempty"`

	// Specifies whether to show this mount in
	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility,omitempty"`

	// Specifies the maximum time-to-live.
	// If set, this overrides the global default.
	// Must be a valid duration string
	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl,omitempty"`

	// List of headers to whitelist and
	// pass from the request to the backend.
	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers,omitempty"`

	// Specifies the type of tokens that should be returned by
	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
	TokenType *string `json:"tokenType,omitempty" tf:"token_type,omitempty"`
}

func (*TuneObservation) DeepCopy

func (in *TuneObservation) DeepCopy() *TuneObservation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneObservation.

func (*TuneObservation) DeepCopyInto

func (in *TuneObservation) DeepCopyInto(out *TuneObservation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TuneParameters

type TuneParameters struct {

	// List of headers to whitelist and allowing
	// a plugin to include them in the response.
	// +kubebuilder:validation:Optional
	AllowedResponseHeaders []*string `json:"allowedResponseHeaders,omitempty" tf:"allowed_response_headers"`

	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the request data object.
	// +kubebuilder:validation:Optional
	AuditNonHMACRequestKeys []*string `json:"auditNonHmacRequestKeys,omitempty" tf:"audit_non_hmac_request_keys"`

	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the response data object.
	// +kubebuilder:validation:Optional
	AuditNonHMACResponseKeys []*string `json:"auditNonHmacResponseKeys,omitempty" tf:"audit_non_hmac_response_keys"`

	// Specifies the default time-to-live.
	// If set, this overrides the global default.
	// Must be a valid duration string
	// +kubebuilder:validation:Optional
	DefaultLeaseTTL *string `json:"defaultLeaseTtl,omitempty" tf:"default_lease_ttl"`

	// Specifies whether to show this mount in
	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
	// +kubebuilder:validation:Optional
	ListingVisibility *string `json:"listingVisibility,omitempty" tf:"listing_visibility"`

	// Specifies the maximum time-to-live.
	// If set, this overrides the global default.
	// Must be a valid duration string
	// +kubebuilder:validation:Optional
	MaxLeaseTTL *string `json:"maxLeaseTtl,omitempty" tf:"max_lease_ttl"`

	// List of headers to whitelist and
	// pass from the request to the backend.
	// +kubebuilder:validation:Optional
	PassthroughRequestHeaders []*string `json:"passthroughRequestHeaders,omitempty" tf:"passthrough_request_headers"`

	// Specifies the type of tokens that should be returned by
	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
	// +kubebuilder:validation:Optional
	TokenType *string `json:"tokenType,omitempty" tf:"token_type"`
}

func (*TuneParameters) DeepCopy

func (in *TuneParameters) DeepCopy() *TuneParameters

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TuneParameters.

func (*TuneParameters) DeepCopyInto

func (in *TuneParameters) DeepCopyInto(out *TuneParameters)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL