Merge branch 'main' into gcp-auth-engine-config

Author: erlisb

.github/workflows/pr.yaml

@@ -13,5 +13,5 @@ jobs:
       RUN_UNIT_TESTS: true
       RUN_INTEGRATION_TESTS: true
       RUN_HELMCHART_TEST: true
-      GO_VERSION: ~1.19
+      GO_VERSION: ~1.21
       OPERATOR_SDK_VERSION: v1.25.3

.github/workflows/push.yaml

@@ -20,5 +20,5 @@ jobs:
       RUN_UNIT_TESTS: true
       RUN_INTEGRATION_TESTS: true
       RUN_HELMCHART_TEST: true
-      GO_VERSION: ~1.19
+      GO_VERSION: ~1.21
       OPERATOR_SDK_VERSION: v1.25.3

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19 as builder
+FROM golang:1.21 as builder
 
 WORKDIR /workspace
 # Copy the Go Modules manifests

api/v1alpha1/authenginemount_types.go

@@ -53,6 +53,10 @@ type AuthEngineMountSpec struct {
 	Name string `json:"name,omitempty"`
 }
 
+func (d *AuthEngineMount) IsDeletable() bool {
+	return true
+}
+
 func (d *AuthEngineMount) GetPath() string {
 	if d.Spec.Name != "" {
 		return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Spec.Name)

api/v1alpha1/azureauthengineconfig_types.go

@@ -130,6 +130,10 @@ type AzureConfig struct {
 var _ vaultutils.VaultObject = &AzureAuthEngineConfig{}
 var _ vaultutils.ConditionsAware = &AzureAuthEngineConfig{}
 
+func (d *AzureAuthEngineConfig) IsDeletable() bool {
+	return true
+}
+
 func (d *AzureAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnection {
 	return d.Spec.Connection
 }

api/v1alpha1/azureauthenginerole_types.go

@@ -188,6 +188,10 @@ func init() {
 	SchemeBuilder.Register(&AzureAuthEngineRole{}, &AzureAuthEngineRoleList{})
 }
 
+func (d *AzureAuthEngineRole) IsDeletable() bool {
+	return true
+}
+
 func (r *AzureAuthEngineRole) GetConditions() []metav1.Condition {
 	return r.Status.Conditions
 }

api/v1alpha1/azuresecretengineconfig_types.go

@@ -128,6 +128,10 @@ func init() {
 	SchemeBuilder.Register(&AzureSecretEngineConfig{}, &AzureSecretEngineConfigList{})
 }
 
+func (d *AzureSecretEngineConfig) IsDeletable() bool {
+	return true
+}
+
 func (r *AzureSecretEngineConfig) SetConditions(conditions []metav1.Condition) {
 	r.Status.Conditions = conditions
 }

api/v1alpha1/databasesecretengineconfig_types.go

@@ -69,6 +69,10 @@ func (d *DatabaseSecretEngineConfig) GetVaultConnection() *vaultutils.VaultConne
 	return d.Spec.Connection
 }
 
+func (d *DatabaseSecretEngineConfig) IsDeletable() bool {
+	return true
+}
+
 func (d *DatabaseSecretEngineConfig) GetPath() string {
 	if d.Spec.Name != "" {
 		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "config" + "/" + d.Spec.Name)

api/v1alpha1/databasesecretenginerole_types.go

@@ -59,6 +59,10 @@ var _ vaultutils.VaultObject = &DatabaseSecretEngineRole{}
 
 var _ vaultutils.ConditionsAware = &DatabaseSecretEngineRole{}
 
+func (d *DatabaseSecretEngineRole) IsDeletable() bool {
+	return true
+}
+
 func (d *DatabaseSecretEngineRole) GetVaultConnection() *vaultutils.VaultConnection {
 	return d.Spec.Connection
 }

api/v1alpha1/databasesecretenginestaticrole_types.go

@@ -144,6 +144,10 @@ func (d *DatabaseSecretEngineStaticRole) GetVaultConnection() *vaultutils.VaultC
 	return d.Spec.Connection
 }
 
+func (d *DatabaseSecretEngineStaticRole) IsDeletable() bool {
+	return true
+}
+
 func (d *DatabaseSecretEngineStaticRole) GetPath() string {
 	if d.Spec.Name != "" {
 		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "static-roles" + "/" + d.Spec.Name)

api/v1alpha1/gcpauthengineconfig_types.go

@@ -84,14 +84,13 @@ type GCPAuthEngineConfigList struct {
 
 type GCPConfig struct {
 
-
-	// Service Account Name. A service account is a special kind of account typically used by an application or compute workload, such as a Compute Engine instance, rather than a person. 
+	// Service Account Name. A service account is a special kind of account typically used by an application or compute workload, such as a Compute Engine instance, rather than a person.
 	// A service account is identified by its email address, which is unique to the account.
-	// Applications use service accounts to make authorized API calls by authenticating as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation. 
+	// Applications use service accounts to make authorized API calls by authenticating as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation.
 	// When an application authenticates as a service account, it has access to all resources that the service account has permission to access.
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default=""
-	ServiceAccount string `json:"serviceAccount,omitempty"`	
+	ServiceAccount string `json:"serviceAccount,omitempty"`
 
 	// Must be either unique_id or role_id.
 	// If unique_id is specified, the service account's unique ID will be used for alias names during login.
@@ -138,7 +137,7 @@ type GCPConfig struct {
 	CustomEndpoint *apiextensionsv1.JSON `json:"customEndpoint,omitempty"`
 
 	retrievedServiceAccount string `json:"-"`
-	retrievedCredentials string `json:"-"`
+	retrievedCredentials    string `json:"-"`
 }
 
 var _ vaultutils.VaultObject = &GCPAuthEngineConfig{}
@@ -148,6 +147,10 @@ func (d *GCPAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnection {
 	return d.Spec.Connection
 }
 
+func (d *GCPAuthEngineConfig) IsDeletable() bool {
+	return false
+}
+
 func (r *GCPAuthEngineConfig) GetConditions() []metav1.Condition {
 	return r.Status.Conditions
 }

api/v1alpha1/gcpauthenginerole_types.go

@@ -215,6 +215,10 @@ func init() {
 	SchemeBuilder.Register(&GCPAuthEngineRole{}, &GCPAuthEngineRoleList{})
 }
 
+func (d *GCPAuthEngineRole) IsDeletable() bool {
+	return true
+}
+
 func (r *GCPAuthEngineRole) GetConditions() []metav1.Condition {
 	return r.Status.Conditions
 }

api/v1alpha1/githubsecretengineconfig_types.go

@@ -96,6 +96,10 @@ func (d *GitHubSecretEngineConfig) GetVaultConnection() *vaultutils.VaultConnect
 	return d.Spec.Connection
 }
 
+func (d *GitHubSecretEngineConfig) IsDeletable() bool {
+	return false
+}
+
 func (d *GitHubSecretEngineConfig) GetPath() string {
 	return string(d.Spec.Path) + "/" + "config"
 }

api/v1alpha1/githubsecretenginerole_types.go

@@ -115,6 +115,10 @@ func (d *GitHubSecretEngineRole) IsInitialized() bool {
 	return true
 }
 
+func (d *GitHubSecretEngineRole) IsDeletable() bool {
+	return true
+}
+
 func (d *GitHubSecretEngineRole) PrepareInternalValues(context context.Context, object client.Object) error {
 	return nil
 }

api/v1alpha1/group_types.go

@@ -119,6 +119,10 @@ func (m *Group) GetConditions() []metav1.Condition {
 	return m.Status.Conditions
 }
 
+func (d *Group) IsDeletable() bool {
+	return true
+}
+
 func (m *Group) SetConditions(conditions []metav1.Condition) {
 	m.Status.Conditions = conditions
 }

api/v1alpha1/groupalias_types.go

@@ -107,6 +107,10 @@ func (m *GroupAlias) GetConditions() []metav1.Condition {
 	return m.Status.Conditions
 }
 
+func (d *GroupAlias) IsDeletable() bool {
+	return true
+}
+
 func (m *GroupAlias) SetConditions(conditions []metav1.Condition) {
 	m.Status.Conditions = conditions
 }

api/v1alpha1/jwtoidcauthengineconfig_types.go

@@ -174,6 +174,10 @@ func (d *JWTOIDCAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnecti
 	return d.Spec.Connection
 }
 
+func (d *JWTOIDCAuthEngineConfig) IsDeletable() bool {
+	return false
+}
+
 func (r *JWTOIDCAuthEngineConfig) GetConditions() []metav1.Condition {
 	return r.Status.Conditions
 }

api/v1alpha1/jwtoidcauthenginerole_types.go

@@ -257,6 +257,10 @@ func (d *JWTOIDCAuthEngineRole) GetVaultConnection() *vaultutils.VaultConnection
 	return d.Spec.Connection
 }
 
+func (d *JWTOIDCAuthEngineRole) IsDeletable() bool {
+	return true
+}
+
 func (r *JWTOIDCAuthEngineRole) GetKubeAuthConfiguration() *vaultutils.KubeAuthConfiguration {
 	return &r.Spec.Authentication
 }

api/v1alpha1/kubernetesauthengineconfig_types.go

@@ -85,6 +85,10 @@ func (d *KubernetesAuthEngineConfig) IsInitialized() bool {
 	return true
 }
 
+func (d *KubernetesAuthEngineConfig) IsDeletable() bool {
+	return false
+}
+
 func (d *KubernetesAuthEngineConfig) PrepareInternalValues(context context.Context, object client.Object) error {
 	log := log.FromContext(context)
 
@@ -144,6 +148,17 @@ type KAECConfig struct {
 	// +kubebuilder:default=false
 	DisableLocalCAJWT bool `json:"disableLocalCAJWT,omitempty"`
 
+	// UseOperatorPodCA . This field is considered only if `kubernetesCACert` is not set and `disableLocalCAJWT` is set to true.
+	// In this case if this field is set to true the operator pod's CA is injected. This is the original behavior before the introduction of this field
+	// If tis field is set to false, the os ca bundle of where vault is running will be used.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=true
+	UseOperatorPodCA bool `json:"useOperatorPodCA,omitempty"`
+
+	// UseAnnotationsAsAliasMetadata  Use annotations from the client token's associated service account as alias metadata for the Vault entity. Only annotations with the vault.hashicorp.com/alias-metadata- key prefix are targeted as alias metadata and your annotations must be 512 characters or less due to the Vault alias metadata value limit. For example, if you configure the annotation vault.hashicorp.com/alias-metadata-foo, Vault saves the string "foo" along with the annotation value to the alias metadata. To save alias metadata, Vault must have permission to read service accounts from the Kubernetes API.
+	// +kubebuilder:validation:Optional
+	UseAnnotationsAsAliasMetadata bool `json:"useAnnotationsAsAliasMetadata,omitempty"`
+
 	retrievedTokenReviewerJWT string `json:"-"`
 }
 
@@ -199,6 +214,8 @@ func (i *KAECConfig) toMap() map[string]interface{} {
 	payload["issuer"] = i.Issuer
 	payload["disable_iss_validation"] = i.DisableISSValidation
 	payload["disable_local_ca_jwt"] = i.DisableLocalCAJWT
+	payload["use_annotations_as_alias_metadata"] = i.UseAnnotationsAsAliasMetadata
+
 	return payload
 }
 

api/v1alpha1/kubernetesauthengineconfig_webhook.go

@@ -45,7 +45,7 @@ var _ webhook.Defaulter = &KubernetesAuthEngineConfig{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
 func (r *KubernetesAuthEngineConfig) Default() {
 	kubernetesauthengineconfiglog.Info("default", "name", r.Name)
-	if r.Spec.KubernetesCACert == "" {
+	if r.Spec.UseOperatorPodCA && r.Spec.KubernetesCACert == "" {
 		b, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
 		if err != nil {
 			kubernetesauthengineconfiglog.Error(err, "unable to read file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt")

api/v1alpha1/kubernetesauthenginerole_types.go

@@ -67,6 +67,10 @@ func (d *KubernetesAuthEngineRole) GetVaultConnection() *vaultutils.VaultConnect
 	return d.Spec.Connection
 }
 
+func (d *KubernetesAuthEngineRole) IsDeletable() bool {
+	return true
+}
+
 func (d *KubernetesAuthEngineRole) GetPath() string {
 	if d.Spec.Name != "" {
 		return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/role/" + d.Spec.Name)

api/v1alpha1/kubernetessecretengineconfig_types.go

@@ -106,6 +106,10 @@ func (d *KubernetesSecretEngineConfig) GetVaultConnection() *vaultutils.VaultCon
 	return d.Spec.Connection
 }
 
+func (d *KubernetesSecretEngineConfig) IsDeletable() bool {
+	return true
+}
+
 func (d *KubernetesSecretEngineConfig) GetPath() string {
 	return string(d.Spec.Path) + "/" + "config"
 }

api/v1alpha1/kubernetessecretenginerole_types.go

@@ -61,6 +61,10 @@ var _ vaultutils.VaultObject = &KubernetesSecretEngineRole{}
 
 var _ vaultutils.ConditionsAware = &KubernetesSecretEngineRole{}
 
+func (d *KubernetesSecretEngineRole) IsDeletable() bool {
+	return true
+}
+
 func (d *KubernetesSecretEngineRole) GetPath() string {
 	if d.Spec.Name != "" {
 		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "roles" + "/" + d.Spec.Name)

api/v1alpha1/ldapauthengineconfig_types.go

@@ -61,6 +61,10 @@ func (d *LDAPAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnection
 	return d.Spec.Connection
 }
 
+func (d *LDAPAuthEngineConfig) IsDeletable() bool {
+	return false
+}
+
 func (d *LDAPAuthEngineConfig) GetPath() string {
 	return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/config")
 }

api/v1alpha1/ldapauthenginegroup_types.go

@@ -63,6 +63,10 @@ func (d *LDAPAuthEngineGroup) GetPath() string {
 	return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/groups/" + string(d.Spec.Name))
 }
 
+func (d *LDAPAuthEngineGroup) IsDeletable() bool {
+	return true
+}
+
 func (d *LDAPAuthEngineGroup) GetPayload() map[string]interface{} {
 	return d.toMap()
 }

api/v1alpha1/passwordpolicy_types.go

@@ -54,6 +54,10 @@ func (d *PasswordPolicy) IsInitialized() bool {
 	return true
 }
 
+func (d *PasswordPolicy) IsDeletable() bool {
+	return true
+}
+
 func (d *PasswordPolicy) PrepareInternalValues(context context.Context, object client.Object) error {
 	return nil
 }

api/v1alpha1/pkisecretengineconfig_types.go

@@ -233,6 +233,10 @@ func (d *PKISecretEngineConfig) GetVaultConnection() *vaultutils.VaultConnection
 	return d.Spec.Connection
 }
 
+func (d *PKISecretEngineConfig) IsDeletable() bool {
+	return false
+}
+
 func (p *PKISecretEngineConfig) GetPath() string {
 	return string(p.Spec.Path)
 }

api/v1alpha1/pkisecretenginerole_types.go

@@ -92,6 +92,10 @@ func (r *PKISecretEngineRole) IsValid() (bool, error) {
 	return true, nil
 }
 
+func (d *PKISecretEngineRole) IsDeletable() bool {
+	return true
+}
+
 type PKIRole struct {
 
 	// Specifies the Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter.

api/v1alpha1/policy_types.go

@@ -71,6 +71,10 @@ func (d *Policy) IsInitialized() bool {
 	return true
 }
 
+func (d *Policy) IsDeletable() bool {
+	return true
+}
+
 func (d *Policy) PrepareInternalValues(context context.Context, object client.Object) error {
 	// Fast path escape if no "${..}" placeholder is detected
 	match, err := regexp.MatchString("\\${[^}]+}", d.Spec.Policy)

api/v1alpha1/quaysecretengineconfig_types.go

@@ -59,6 +59,10 @@ func (d *QuaySecretEngineConfig) GetVaultConnection() *vaultutils.VaultConnectio
 	return d.Spec.Connection
 }
 
+func (d *QuaySecretEngineConfig) IsDeletable() bool {
+	return false
+}
+
 func (q *QuaySecretEngineConfig) GetPath() string {
 	return string(q.Spec.Path) + "/" + "config"
 }

api/v1alpha1/quaysecretenginerole_types.go

@@ -76,6 +76,10 @@ func (d *QuaySecretEngineRole) GetVaultConnection() *vaultutils.VaultConnection
 	return d.Spec.Connection
 }
 
+func (d *QuaySecretEngineRole) IsDeletable() bool {
+	return true
+}
+
 func (d *QuaySecretEngineRole) GetPath() string {
 	if d.Spec.Name != "" {
 		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "roles" + "/" + d.Spec.Name)

api/v1alpha1/quaysecretenginestaticrole_types.go

@@ -74,6 +74,10 @@ func (q *QuaySecretEngineStaticRole) IsInitialized() bool {
 	return true
 }
 
+func (d *QuaySecretEngineStaticRole) IsDeletable() bool {
+	return true
+}
+
 func (q *QuaySecretEngineStaticRole) PrepareInternalValues(context context.Context, object client.Object) error {
 	return nil
 }