From cfc89bace89f42e756b97467ab349a7d668fa1c7 Mon Sep 17 00:00:00 2001 From: Denis Baryshev Date: Fri, 16 Aug 2024 14:53:26 +0300 Subject: [PATCH] feat(crossplane): add crossplane vault provider Signed-off-by: Denis Baryshev --- crossplane-provider-vault/README.md | 3 + ...vault_upbound_io_v1alpha1_secret_backend.k | 805 +++ ...ad_vault_upbound_io_v1alpha1_secret_role.k | 399 ++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 487 ++ ...t_upbound_io_v1alpha1_auth_backend_login.k | 417 ++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 535 ++ ..._io_v1alpha1_auth_backend_role_secret_id.k | 449 ++ ...vault_upbound_io_v1alpha1_request_header.k | 367 ++ .../auth_vault_upbound_io_v1alpha1_backend.k | 545 ++ ...lt_upbound_io_v1alpha1_auth_backend_cert.k | 391 ++ ..._upbound_io_v1alpha1_auth_backend_client.k | 479 ++ ...io_v1alpha1_auth_backend_config_identity.k | 403 ++ ...v1alpha1_auth_backend_identity_whitelist.k | 379 ++ ...t_upbound_io_v1alpha1_auth_backend_login.k | 491 ++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 671 +++ ...pbound_io_v1alpha1_auth_backend_role_tag.k | 435 ++ ..._v1alpha1_auth_backend_roletag_blacklist.k | 379 ++ ...pbound_io_v1alpha1_auth_backend_sts_role.k | 379 ++ ...vault_upbound_io_v1alpha1_secret_backend.k | 563 ++ ..._upbound_io_v1alpha1_secret_backend_role.k | 475 ++ ..._upbound_io_v1alpha1_auth_backend_config.k | 457 ++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 547 ++ ...vault_upbound_io_v1alpha1_secret_backend.k | 507 ++ ..._upbound_io_v1alpha1_secret_backend_role.k | 587 ++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 655 +++ ...vault_upbound_io_v1alpha1_secret_backend.k | 541 ++ ..._upbound_io_v1alpha1_secret_backend_role.k | 499 ++ ...nd_io_v1alpha1_secret_backend_connection.k | 3481 ++++++++++++ ..._upbound_io_v1alpha1_secret_backend_role.k | 475 ++ ...d_io_v1alpha1_secret_backend_static_role.k | 439 ++ ..._vault_upbound_io_v1alpha1_secrets_mount.k | 4833 +++++++++++++++++ .../egp_vault_upbound_io_v1alpha1_policy.k | 391 ++ ...p_vault_upbound_io_v1alpha1_auth_backend.k | 697 +++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 595 ++ ...vault_upbound_io_v1alpha1_secret_backend.k | 441 ++ ..._io_v1alpha1_secret_impersonated_account.k | 395 ++ ...vault_upbound_io_v1alpha1_secret_roleset.k | 473 ++ ...pbound_io_v1alpha1_secret_static_account.k | 473 ++ ...neric_vault_upbound_io_v1alpha1_endpoint.k | 437 ++ ...generic_vault_upbound_io_v1alpha1_secret.k | 405 ++ ...b_vault_upbound_io_v1alpha1_auth_backend.k | 665 +++ .../github_vault_upbound_io_v1alpha1_team.k | 379 ++ .../github_vault_upbound_io_v1alpha1_user.k | 379 ++ ...dentity_vault_upbound_io_v1alpha1_entity.k | 403 ++ ...y_vault_upbound_io_v1alpha1_entity_alias.k | 391 ++ ...ault_upbound_io_v1alpha1_entity_policies.k | 383 ++ ...identity_vault_upbound_io_v1alpha1_group.k | 451 ++ ...ty_vault_upbound_io_v1alpha1_group_alias.k | 379 ++ ...ound_io_v1alpha1_group_member_entity_ids.k | 383 ++ ...bound_io_v1alpha1_group_member_group_ids.k | 379 ++ ...vault_upbound_io_v1alpha1_group_policies.k | 383 ++ ...entity_vault_upbound_io_v1alpha1_mfa_duo.k | 471 ++ ...pbound_io_v1alpha1_mfa_login_enforcement.k | 427 ++ ...ntity_vault_upbound_io_v1alpha1_mfa_okta.k | 445 ++ ...ity_vault_upbound_io_v1alpha1_mfa_pingid.k | 415 ++ ...ntity_vault_upbound_io_v1alpha1_mfa_totp.k | 467 ++ .../identity_vault_upbound_io_v1alpha1_oidc.k | 355 ++ ...ault_upbound_io_v1alpha1_oidc_assignment.k | 379 ++ ...ty_vault_upbound_io_v1alpha1_oidc_client.k | 431 ++ ...ntity_vault_upbound_io_v1alpha1_oidc_key.k | 403 ++ ...d_io_v1alpha1_oidc_key_allowed_client_id.k | 367 ++ ..._vault_upbound_io_v1alpha1_oidc_provider.k | 407 ++ ...tity_vault_upbound_io_v1alpha1_oidc_role.k | 403 ++ ...ity_vault_upbound_io_v1alpha1_oidc_scope.k | 379 ++ ...t_vault_upbound_io_v1alpha1_auth_backend.k | 727 +++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 679 +++ crossplane-provider-vault/kcl.mod | 8 + crossplane-provider-vault/kcl.mod.lock | 5 + ...vault_upbound_io_v1alpha1_secret_backend.k | 487 ++ ...ip_vault_upbound_io_v1alpha1_secret_role.k | 583 ++ ...p_vault_upbound_io_v1alpha1_secret_scope.k | 379 ++ ..._upbound_io_v1alpha1_auth_backend_config.k | 453 ++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 523 ++ ...vault_upbound_io_v1alpha1_secret_backend.k | 541 ++ ..._upbound_io_v1alpha1_secret_backend_role.k | 487 ++ .../kv_vault_upbound_io_v1alpha1_secret.k | 381 ++ ...lt_upbound_io_v1alpha1_secret_backend_v2.k | 391 ++ .../kv_vault_upbound_io_v1alpha1_secret_v2.k | 539 ++ ...p_vault_upbound_io_v1alpha1_auth_backend.k | 807 +++ ...t_upbound_io_v1alpha1_auth_backend_group.k | 379 ++ ...lt_upbound_io_v1alpha1_auth_backend_user.k | 391 ++ .../managed_vault_upbound_io_v1alpha1_keys.k | 985 ++++ .../mfa_vault_upbound_io_v1alpha1_duo.k | 455 ++ .../mfa_vault_upbound_io_v1alpha1_okta.k | 441 ++ .../mfa_vault_upbound_io_v1alpha1_pingid.k | 419 ++ .../mfa_vault_upbound_io_v1alpha1_totp.k | 439 ++ ...vault_upbound_io_v1alpha1_secret_backend.k | 383 ++ ...as_vault_upbound_io_v1alpha1_secret_role.k | 463 ++ ...vault_upbound_io_v1alpha1_secret_backend.k | 553 ++ ...ad_vault_upbound_io_v1alpha1_secret_role.k | 403 ++ ...a_vault_upbound_io_v1alpha1_auth_backend.k | 613 +++ ...t_upbound_io_v1alpha1_auth_backend_group.k | 379 ++ ...lt_upbound_io_v1alpha1_auth_backend_user.k | 391 ++ ...assword_vault_upbound_io_v1alpha1_policy.k | 367 ++ ..._upbound_io_v1alpha1_secret_backend_cert.k | 563 ++ ...nd_io_v1alpha1_secret_backend_config_c_a.k | 381 ++ ...d_io_v1alpha1_secret_backend_config_urls.k | 391 ++ ...nd_io_v1alpha1_secret_backend_crl_config.k | 487 ++ ...secret_backend_intermediate_cert_request.k | 643 +++ ...1_secret_backend_intermediate_set_signed.k | 375 ++ ..._upbound_io_v1alpha1_secret_backend_role.k | 949 ++++ ...und_io_v1alpha1_secret_backend_root_cert.k | 691 +++ ...a1_secret_backend_root_sign_intermediate.k | 631 +++ ..._upbound_io_v1alpha1_secret_backend_sign.k | 539 ++ ...ta_vault_upbound_io_v1alpha1_lease_count.k | 391 ++ ...ota_vault_upbound_io_v1alpha1_rate_limit.k | 415 ++ ...vault_upbound_io_v1alpha1_secret_backend.k | 503 ++ ..._upbound_io_v1alpha1_secret_backend_role.k | 601 ++ ...raft_vault_upbound_io_v1alpha1_autopilot.k | 427 ++ ...pbound_io_v1alpha1_snapshot_agent_config.k | 667 +++ .../rgp_vault_upbound_io_v1alpha1_policy.k | 379 ++ ...t_upbound_io_v1alpha1_secret_backend_c_a.k | 405 ++ ..._upbound_io_v1alpha1_secret_backend_role.k | 709 +++ ...upbound_io_v1alpha1_cloud_secret_backend.k | 453 ++ ...t_upbound_io_v1alpha1_cloud_secret_creds.k | 379 ++ ...lt_upbound_io_v1alpha1_cloud_secret_role.k | 427 ++ ...lt_upbound_io_v1alpha1_auth_backend_role.k | 559 ++ ...sform_vault_upbound_io_v1alpha1_alphabet.k | 379 ++ ...transform_vault_upbound_io_v1alpha1_role.k | 379 ++ ...sform_vault_upbound_io_v1alpha1_template.k | 427 ++ ...vault_upbound_io_v1alpha1_transformation.k | 451 ++ ...t_upbound_io_v1alpha1_secret_backend_key.k | 527 ++ .../vault_upbound_io_v1alpha1_store_config.k | 441 ++ ...vault_upbound_io_v1beta1_provider_config.k | 241 + ...upbound_io_v1beta1_provider_config_usage.k | 99 + .../vault_vault_upbound_io_v1alpha1_audit.k | 403 ++ .../vault_vault_upbound_io_v1alpha1_mount.k | 491 ++ .../vault_vault_upbound_io_v1alpha1_policy.k | 367 ++ .../vault_vault_upbound_io_v1alpha1_token.k | 519 ++ ...ault_upbound_io_v1alpha1_vault_namespace.k | 383 ++ 130 files changed, 67427 insertions(+) create mode 100644 crossplane-provider-vault/README.md create mode 100644 crossplane-provider-vault/ad/v1alpha1/ad_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/ad/v1alpha1/ad_vault_upbound_io_v1alpha1_secret_role.k create mode 100644 crossplane-provider-vault/alicloud/v1alpha1/alicloud_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_login.k create mode 100644 crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_role_secret_id.k create mode 100644 crossplane-provider-vault/audit/v1alpha1/audit_vault_upbound_io_v1alpha1_request_header.k create mode 100644 crossplane-provider-vault/auth/v1alpha1/auth_vault_upbound_io_v1alpha1_backend.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_cert.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_client.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_config_identity.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_identity_whitelist.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_login.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_role_tag.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_roletag_blacklist.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_sts_role.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_secret_backend_role.k create mode 100644 crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_auth_backend_config.k create mode 100644 crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_secret_backend_role.k create mode 100644 crossplane-provider-vault/cert/v1alpha1/cert_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/consul/v1alpha1/consul_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/consul/v1alpha1/consul_vault_upbound_io_v1alpha1_secret_backend_role.k create mode 100644 crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_connection.k create mode 100644 crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_role.k create mode 100644 crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_static_role.k create mode 100644 crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secrets_mount.k create mode 100644 crossplane-provider-vault/egp/v1alpha1/egp_vault_upbound_io_v1alpha1_policy.k create mode 100644 crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_auth_backend.k create mode 100644 crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_impersonated_account.k create mode 100644 crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_roleset.k create mode 100644 crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_static_account.k create mode 100644 crossplane-provider-vault/generic/v1alpha1/generic_vault_upbound_io_v1alpha1_endpoint.k create mode 100644 crossplane-provider-vault/generic/v1alpha1/generic_vault_upbound_io_v1alpha1_secret.k create mode 100644 crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_auth_backend.k create mode 100644 crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_team.k create mode 100644 crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_user.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity_alias.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity_policies.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_alias.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_member_entity_ids.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_member_group_ids.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_policies.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_duo.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_login_enforcement.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_okta.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_pingid.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_totp.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_assignment.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_client.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_key.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_key_allowed_client_id.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_provider.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_role.k create mode 100644 crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_scope.k create mode 100644 crossplane-provider-vault/jwt/v1alpha1/jwt_vault_upbound_io_v1alpha1_auth_backend.k create mode 100644 crossplane-provider-vault/jwt/v1alpha1/jwt_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/kcl.mod create mode 100644 crossplane-provider-vault/kcl.mod.lock create mode 100644 crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_role.k create mode 100644 crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_scope.k create mode 100644 crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_auth_backend_config.k create mode 100644 crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_secret_backend_role.k create mode 100644 crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret.k create mode 100644 crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret_backend_v2.k create mode 100644 crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret_v2.k create mode 100644 crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend.k create mode 100644 crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend_group.k create mode 100644 crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend_user.k create mode 100644 crossplane-provider-vault/managed/v1alpha1/managed_vault_upbound_io_v1alpha1_keys.k create mode 100644 crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_duo.k create mode 100644 crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_okta.k create mode 100644 crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_pingid.k create mode 100644 crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_totp.k create mode 100644 crossplane-provider-vault/mongodbatlas/v1alpha1/mongodbatlas_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/mongodbatlas/v1alpha1/mongodbatlas_vault_upbound_io_v1alpha1_secret_role.k create mode 100644 crossplane-provider-vault/nomad/v1alpha1/nomad_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/nomad/v1alpha1/nomad_vault_upbound_io_v1alpha1_secret_role.k create mode 100644 crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend.k create mode 100644 crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend_group.k create mode 100644 crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend_user.k create mode 100644 crossplane-provider-vault/password/v1alpha1/password_vault_upbound_io_v1alpha1_policy.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_cert.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_config_c_a.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_config_urls.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_crl_config.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_intermediate_cert_request.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_intermediate_set_signed.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_role.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_root_cert.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_root_sign_intermediate.k create mode 100644 crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_sign.k create mode 100644 crossplane-provider-vault/quota/v1alpha1/quota_vault_upbound_io_v1alpha1_lease_count.k create mode 100644 crossplane-provider-vault/quota/v1alpha1/quota_vault_upbound_io_v1alpha1_rate_limit.k create mode 100644 crossplane-provider-vault/rabbitmq/v1alpha1/rabbitmq_vault_upbound_io_v1alpha1_secret_backend.k create mode 100644 crossplane-provider-vault/rabbitmq/v1alpha1/rabbitmq_vault_upbound_io_v1alpha1_secret_backend_role.k create mode 100644 crossplane-provider-vault/raft/v1alpha1/raft_vault_upbound_io_v1alpha1_autopilot.k create mode 100644 crossplane-provider-vault/raft/v1alpha1/raft_vault_upbound_io_v1alpha1_snapshot_agent_config.k create mode 100644 crossplane-provider-vault/rgp/v1alpha1/rgp_vault_upbound_io_v1alpha1_policy.k create mode 100644 crossplane-provider-vault/ssh/v1alpha1/ssh_vault_upbound_io_v1alpha1_secret_backend_c_a.k create mode 100644 crossplane-provider-vault/ssh/v1alpha1/ssh_vault_upbound_io_v1alpha1_secret_backend_role.k create mode 100644 crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_backend.k create mode 100644 crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_creds.k create mode 100644 crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_role.k create mode 100644 crossplane-provider-vault/token/v1alpha1/token_vault_upbound_io_v1alpha1_auth_backend_role.k create mode 100644 crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_alphabet.k create mode 100644 crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_role.k create mode 100644 crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_template.k create mode 100644 crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_transformation.k create mode 100644 crossplane-provider-vault/transit/v1alpha1/transit_vault_upbound_io_v1alpha1_secret_backend_key.k create mode 100644 crossplane-provider-vault/v1alpha1/vault_upbound_io_v1alpha1_store_config.k create mode 100644 crossplane-provider-vault/v1beta1/vault_upbound_io_v1beta1_provider_config.k create mode 100644 crossplane-provider-vault/v1beta1/vault_upbound_io_v1beta1_provider_config_usage.k create mode 100644 crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_audit.k create mode 100644 crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_mount.k create mode 100644 crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_policy.k create mode 100644 crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_token.k create mode 100644 crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_vault_namespace.k diff --git a/crossplane-provider-vault/README.md b/crossplane-provider-vault/README.md new file mode 100644 index 00000000..c9f11b75 --- /dev/null +++ b/crossplane-provider-vault/README.md @@ -0,0 +1,3 @@ +# Vault provider + +https://github.com/upbound/provider-vault diff --git a/crossplane-provider-vault/ad/v1alpha1/ad_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/ad/v1alpha1/ad_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..e1bc0c04 --- /dev/null +++ b/crossplane-provider-vault/ad/v1alpha1/ad_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,805 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates an Active Directory secret backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "ad.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AdVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : AdVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "ad.vault.upbound.io/v1alpha1" = "ad.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: AdVaultUpboundIoV1alpha1SecretBackendSpec + + status?: AdVaultUpboundIoV1alpha1SecretBackendStatus + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AdVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : AdVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AdVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AdVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AdVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AdVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: AdVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AdVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: AdVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AdVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + ad vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + anonymousGroupSearch : bool, default is Undefined, optional + Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad. The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad". + binddn : str, default is Undefined, optional + Distinguished name of object to bind when performing user and group search. Distinguished name of object to bind when performing user and group search. + bindpassSecretRef : AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderBindpassSecretRef, default is Undefined, optional + bindpass secret ref + caseSensitiveNames : bool, default is Undefined, optional + If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case. If true, case sensitivity will be used when comparing usernames and groups for matching policies. + certificate : str, default is Undefined, optional + CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. + clientTlsCertSecretRef : AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientTLSCertSecretRef, default is Undefined, optional + client Tls cert secret ref + clientTlsKeySecretRef : AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientTLSKeySecretRef, default is Undefined, optional + client Tls key secret ref + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for secrets in seconds. Default lease duration for secrets in seconds + denyNullBind : bool, default is Undefined, optional + Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true. Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true + description : str, default is Undefined, optional + Human-friendly description of the mount for the Active Directory backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + discoverdn : bool, default is Undefined, optional + Use anonymous bind to discover the bind Distinguished Name of a user. Use anonymous bind to discover the bind DN of a user. + formatter : str, default is Undefined, optional + Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". + groupattr : str, default is Undefined, optional + LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn. LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn + groupdn : str, default is Undefined, optional + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org) + groupfilter : str, default is Undefined, optional + Go template for querying group membership of user The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) + insecureTls : bool, default is Undefined, optional + Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false. Skip LDAP server SSL Certificate verification - insecure and not recommended for production use. + lastRotationTolerance : float, default is Undefined, optional + The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. + length : float, default is Undefined, optional + Deprecated use password_policy. The desired length of passwords that Vault generates. Mutually exclusive with The desired length of passwords that Vault generates. + local : bool, default is Undefined, optional + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. + maxTtl : float, default is Undefined, optional + In seconds, the maximum password time-to-live. In seconds, the maximum password time-to-live. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + passwordPolicy : str, default is Undefined, optional + 1.11+ Name of the password policy to use to generate passwords. + requestTimeout : float, default is Undefined, optional + Timeout, in seconds, for the connection when making requests against the server before returning back an error. Timeout, in seconds, for the connection when making requests against the server before returning back an error. + starttls : bool, default is Undefined, optional + Issue a StartTLS command after establishing unencrypted connection. Issue a StartTLS command after establishing unencrypted connection. + tlsMaxVersion : str, default is Undefined, optional + Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' + tlsMinVersion : str, default is Undefined, optional + Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' + ttl : float, default is Undefined, optional + In seconds, the default password time-to-live. In seconds, the default password time-to-live. + upndomain : str, default is Undefined, optional + Enables userPrincipalDomain login with [username]@UPNDomain. Enables userPrincipalDomain login with [username]@UPNDomain. + url : str, default is Undefined, optional + LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1. LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. + usePre111GroupCnBehavior : bool, default is Undefined, optional + In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. + useTokenGroups : bool, default is Undefined, optional + If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. + userattr : str, default is Undefined, optional + Attribute used when searching users. Defaults to cn. Attribute used for users (default: cn) + userdn : str, default is Undefined, optional + LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. LDAP domain to use for users (eg: ou=People,dc=example,dc=org) + """ + + + anonymousGroupSearch?: bool + + backend?: str + + binddn?: str + + bindpassSecretRef?: AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderBindpassSecretRef + + caseSensitiveNames?: bool + + certificate?: str + + clientTlsCertSecretRef?: AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientTLSCertSecretRef + + clientTlsKeySecretRef?: AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientTLSKeySecretRef + + defaultLeaseTtlSeconds?: float + + denyNullBind?: bool + + description?: str + + disableRemount?: bool + + discoverdn?: bool + + formatter?: str + + groupattr?: str + + groupdn?: str + + groupfilter?: str + + insecureTls?: bool + + lastRotationTolerance?: float + + length?: float + + local?: bool + + maxLeaseTtlSeconds?: float + + maxTtl?: float + + namespace?: str + + passwordPolicy?: str + + requestTimeout?: float + + starttls?: bool + + tlsMaxVersion?: str + + tlsMinVersion?: str + + ttl?: float + + upndomain?: str + + url?: str + + usePre111GroupCnBehavior?: bool + + useTokenGroups?: bool + + userattr?: str + + userdn?: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderBindpassSecretRef: + r""" + Password to use along with binddn when performing user search. LDAP password for searching for the user DN. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientTLSCertSecretRef: + r""" + Client certificate to provide to the LDAP server, must be x509 PEM encoded. Client certificate to provide to the LDAP server, must be x509 PEM encoded. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientTLSKeySecretRef: + r""" + Client certificate key to provide to the LDAP server, must be x509 PEM encoded. Client certificate key to provide to the LDAP server, must be x509 PEM encoded. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + anonymousGroupSearch : bool, default is Undefined, optional + Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad. The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad". + binddn : str, default is Undefined, optional + Distinguished name of object to bind when performing user and group search. Distinguished name of object to bind when performing user and group search. + caseSensitiveNames : bool, default is Undefined, optional + If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case. If true, case sensitivity will be used when comparing usernames and groups for matching policies. + certificate : str, default is Undefined, optional + CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for secrets in seconds. Default lease duration for secrets in seconds + denyNullBind : bool, default is Undefined, optional + Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true. Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true + description : str, default is Undefined, optional + Human-friendly description of the mount for the Active Directory backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + discoverdn : bool, default is Undefined, optional + Use anonymous bind to discover the bind Distinguished Name of a user. Use anonymous bind to discover the bind DN of a user. + formatter : str, default is Undefined, optional + Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". + groupattr : str, default is Undefined, optional + LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn. LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn + groupdn : str, default is Undefined, optional + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org) + groupfilter : str, default is Undefined, optional + Go template for querying group membership of user The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) + insecureTls : bool, default is Undefined, optional + Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false. Skip LDAP server SSL Certificate verification - insecure and not recommended for production use. + lastRotationTolerance : float, default is Undefined, optional + The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. + length : float, default is Undefined, optional + Deprecated use password_policy. The desired length of passwords that Vault generates. Mutually exclusive with The desired length of passwords that Vault generates. + local : bool, default is Undefined, optional + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. + maxTtl : float, default is Undefined, optional + In seconds, the maximum password time-to-live. In seconds, the maximum password time-to-live. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + passwordPolicy : str, default is Undefined, optional + 1.11+ Name of the password policy to use to generate passwords. + requestTimeout : float, default is Undefined, optional + Timeout, in seconds, for the connection when making requests against the server before returning back an error. Timeout, in seconds, for the connection when making requests against the server before returning back an error. + starttls : bool, default is Undefined, optional + Issue a StartTLS command after establishing unencrypted connection. Issue a StartTLS command after establishing unencrypted connection. + tlsMaxVersion : str, default is Undefined, optional + Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' + tlsMinVersion : str, default is Undefined, optional + Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' + ttl : float, default is Undefined, optional + In seconds, the default password time-to-live. In seconds, the default password time-to-live. + upndomain : str, default is Undefined, optional + Enables userPrincipalDomain login with [username]@UPNDomain. Enables userPrincipalDomain login with [username]@UPNDomain. + url : str, default is Undefined, optional + LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1. LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. + usePre111GroupCnBehavior : bool, default is Undefined, optional + In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. + useTokenGroups : bool, default is Undefined, optional + If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. + userattr : str, default is Undefined, optional + Attribute used when searching users. Defaults to cn. Attribute used for users (default: cn) + userdn : str, default is Undefined, optional + LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. LDAP domain to use for users (eg: ou=People,dc=example,dc=org) + """ + + + anonymousGroupSearch?: bool + + backend?: str + + binddn?: str + + caseSensitiveNames?: bool + + certificate?: str + + defaultLeaseTtlSeconds?: float + + denyNullBind?: bool + + description?: str + + disableRemount?: bool + + discoverdn?: bool + + formatter?: str + + groupattr?: str + + groupdn?: str + + groupfilter?: str + + insecureTls?: bool + + lastRotationTolerance?: float + + length?: float + + local?: bool + + maxLeaseTtlSeconds?: float + + maxTtl?: float + + namespace?: str + + passwordPolicy?: str + + requestTimeout?: float + + starttls?: bool + + tlsMaxVersion?: str + + tlsMinVersion?: str + + ttl?: float + + upndomain?: str + + url?: str + + usePre111GroupCnBehavior?: bool + + useTokenGroups?: bool + + userattr?: str + + userdn?: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AdVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AdVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AdVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AdVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : AdVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [AdVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AdVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [AdVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema AdVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + ad vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + anonymousGroupSearch : bool, default is Undefined, optional + Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad. The mount path for a backend, for example, the path given in "$ vault auth enable -path=my-ad ad". + binddn : str, default is Undefined, optional + Distinguished name of object to bind when performing user and group search. Distinguished name of object to bind when performing user and group search. + caseSensitiveNames : bool, default is Undefined, optional + If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case. If true, case sensitivity will be used when comparing usernames and groups for matching policies. + certificate : str, default is Undefined, optional + CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for secrets in seconds. Default lease duration for secrets in seconds + denyNullBind : bool, default is Undefined, optional + Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true. Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true + description : str, default is Undefined, optional + Human-friendly description of the mount for the Active Directory backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + discoverdn : bool, default is Undefined, optional + Use anonymous bind to discover the bind Distinguished Name of a user. Use anonymous bind to discover the bind DN of a user. + formatter : str, default is Undefined, optional + Deprecated use password_policy. Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". Text to insert the password into, ex. "customPrefix{{PASSWORD}}customSuffix". + groupattr : str, default is Undefined, optional + LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn. LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn + groupdn : str, default is Undefined, optional + LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org). LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org) + groupfilter : str, default is Undefined, optional + Go template for querying group membership of user The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) Go template for querying group membership of user. The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) + id : str, default is Undefined, optional + id + insecureTls : bool, default is Undefined, optional + Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false. Skip LDAP server SSL Certificate verification - insecure and not recommended for production use. + lastRotationTolerance : float, default is Undefined, optional + The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band. + length : float, default is Undefined, optional + Deprecated use password_policy. The desired length of passwords that Vault generates. Mutually exclusive with The desired length of passwords that Vault generates. + local : bool, default is Undefined, optional + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. + maxTtl : float, default is Undefined, optional + In seconds, the maximum password time-to-live. In seconds, the maximum password time-to-live. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + passwordPolicy : str, default is Undefined, optional + 1.11+ Name of the password policy to use to generate passwords. + requestTimeout : float, default is Undefined, optional + Timeout, in seconds, for the connection when making requests against the server before returning back an error. Timeout, in seconds, for the connection when making requests against the server before returning back an error. + starttls : bool, default is Undefined, optional + Issue a StartTLS command after establishing unencrypted connection. Issue a StartTLS command after establishing unencrypted connection. + tlsMaxVersion : str, default is Undefined, optional + Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12. Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' + tlsMinVersion : str, default is Undefined, optional + Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12. Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' + ttl : float, default is Undefined, optional + In seconds, the default password time-to-live. In seconds, the default password time-to-live. + upndomain : str, default is Undefined, optional + Enables userPrincipalDomain login with [username]@UPNDomain. Enables userPrincipalDomain login with [username]@UPNDomain. + url : str, default is Undefined, optional + LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1. LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. + usePre111GroupCnBehavior : bool, default is Undefined, optional + In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. + useTokenGroups : bool, default is Undefined, optional + If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. + userattr : str, default is Undefined, optional + Attribute used when searching users. Defaults to cn. Attribute used for users (default: cn) + userdn : str, default is Undefined, optional + LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`. LDAP domain to use for users (eg: ou=People,dc=example,dc=org) + """ + + + anonymousGroupSearch?: bool + + backend?: str + + binddn?: str + + caseSensitiveNames?: bool + + certificate?: str + + defaultLeaseTtlSeconds?: float + + denyNullBind?: bool + + description?: str + + disableRemount?: bool + + discoverdn?: bool + + formatter?: str + + groupattr?: str + + groupdn?: str + + groupfilter?: str + + id?: str + + insecureTls?: bool + + lastRotationTolerance?: float + + length?: float + + local?: bool + + maxLeaseTtlSeconds?: float + + maxTtl?: float + + namespace?: str + + passwordPolicy?: str + + requestTimeout?: float + + starttls?: bool + + tlsMaxVersion?: str + + tlsMinVersion?: str + + ttl?: float + + upndomain?: str + + url?: str + + usePre111GroupCnBehavior?: bool + + useTokenGroups?: bool + + userattr?: str + + userdn?: str + + +schema AdVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/ad/v1alpha1/ad_vault_upbound_io_v1alpha1_secret_role.k b/crossplane-provider-vault/ad/v1alpha1/ad_vault_upbound_io_v1alpha1_secret_role.k new file mode 100644 index 00000000..15267087 --- /dev/null +++ b/crossplane-provider-vault/ad/v1alpha1/ad_vault_upbound_io_v1alpha1_secret_role.k @@ -0,0 +1,399 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretRole: + r""" + SecretRole is the Schema for the SecretRoles API. Creates a role on the Active Directory Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "ad.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AdVaultUpboundIoV1alpha1SecretRoleSpec, default is Undefined, required + spec + status : AdVaultUpboundIoV1alpha1SecretRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "ad.vault.upbound.io/v1alpha1" = "ad.vault.upbound.io/v1alpha1" + + kind: "SecretRole" = "SecretRole" + + metadata?: v1.ObjectMeta + + spec: AdVaultUpboundIoV1alpha1SecretRoleSpec + + status?: AdVaultUpboundIoV1alpha1SecretRoleStatus + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpec: + r""" + SecretRoleSpec defines the desired state of SecretRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AdVaultUpboundIoV1alpha1SecretRoleSpecForProvider, default is Undefined, required + for provider + initProvider : AdVaultUpboundIoV1alpha1SecretRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AdVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AdVaultUpboundIoV1alpha1SecretRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AdVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AdVaultUpboundIoV1alpha1SecretRoleSpecForProvider + + initProvider?: AdVaultUpboundIoV1alpha1SecretRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AdVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef + + providerRef?: AdVaultUpboundIoV1alpha1SecretRoleSpecProviderRef + + publishConnectionDetailsTo?: AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AdVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecForProvider: + r""" + ad vault upbound io v1alpha1 secret role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AD secret backend is mounted at, with no leading or trailing /s. The mount path for the AD backend. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Name of the role. + serviceAccountName : str, default is Undefined, optional + Specifies the name of the Active Directory service account mapped to this role. The username/logon name for the service account with which this role will be associated. + ttl : float, default is Undefined, optional + The password time-to-live in seconds. Defaults to the configuration ttl if not provided. In seconds, the default password time-to-live. + """ + + + backend?: str + + namespace?: str + + role?: str + + serviceAccountName?: str + + ttl?: float + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AD secret backend is mounted at, with no leading or trailing /s. The mount path for the AD backend. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Name of the role. + serviceAccountName : str, default is Undefined, optional + Specifies the name of the Active Directory service account mapped to this role. The username/logon name for the service account with which this role will be associated. + ttl : float, default is Undefined, optional + The password time-to-live in seconds. Defaults to the configuration ttl if not provided. In seconds, the default password time-to-live. + """ + + + backend?: str + + namespace?: str + + role?: str + + serviceAccountName?: str + + ttl?: float + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AdVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AdVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AdVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AdVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AdVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AdVaultUpboundIoV1alpha1SecretRoleStatus: + r""" + SecretRoleStatus defines the observed state of SecretRole. + + Attributes + ---------- + atProvider : AdVaultUpboundIoV1alpha1SecretRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [AdVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AdVaultUpboundIoV1alpha1SecretRoleStatusAtProvider + + conditions?: [AdVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0] + + +schema AdVaultUpboundIoV1alpha1SecretRoleStatusAtProvider: + r""" + ad vault upbound io v1alpha1 secret role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AD secret backend is mounted at, with no leading or trailing /s. The mount path for the AD backend. + id : str, default is Undefined, optional + id + lastVaultRotation : str, default is Undefined, optional + Timestamp of the last password rotation by Vault. Last time Vault rotated this service account's password. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + passwordLastSet : str, default is Undefined, optional + Timestamp of the last password set by Vault. Last time Vault set this service account's password. + role : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Name of the role. + serviceAccountName : str, default is Undefined, optional + Specifies the name of the Active Directory service account mapped to this role. The username/logon name for the service account with which this role will be associated. + ttl : float, default is Undefined, optional + The password time-to-live in seconds. Defaults to the configuration ttl if not provided. In seconds, the default password time-to-live. + """ + + + backend?: str + + id?: str + + lastVaultRotation?: str + + namespace?: str + + passwordLastSet?: str + + role?: str + + serviceAccountName?: str + + ttl?: float + + +schema AdVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/alicloud/v1alpha1/alicloud_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/alicloud/v1alpha1/alicloud_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..798206a7 --- /dev/null +++ b/crossplane-provider-vault/alicloud/v1alpha1/alicloud_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,487 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. Managing roles in an AliCloud auth backend in Vault + + Attributes + ---------- + apiVersion : str, default is "alicloud.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "alicloud.vault.upbound.io/v1alpha1" = "alicloud.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + alicloud vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + arn : str, default is Undefined, optional + The role's arn. The role's arn. + backend : str, default is Undefined, optional + Path to the mounted AliCloud auth backend. Defaults to alicloud Auth backend. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + Name of the role. Must correspond with the name of the role reflected in the arn. Name of the role. Must correspond with the name of the role reflected in the arn. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + arn?: str + + backend?: str + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + arn : str, default is Undefined, optional + The role's arn. The role's arn. + backend : str, default is Undefined, optional + Path to the mounted AliCloud auth backend. Defaults to alicloud Auth backend. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + Name of the role. Must correspond with the name of the role reflected in the arn. Name of the role. Must correspond with the name of the role reflected in the arn. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + arn?: str + + backend?: str + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + alicloud vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + arn : str, default is Undefined, optional + The role's arn. The role's arn. + backend : str, default is Undefined, optional + Path to the mounted AliCloud auth backend. Defaults to alicloud Auth backend. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + Name of the role. Must correspond with the name of the role reflected in the arn. Name of the role. Must correspond with the name of the role reflected in the arn. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + arn?: str + + backend?: str + + id?: str + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AlicloudVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_login.k b/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_login.k new file mode 100644 index 00000000..5c3de05f --- /dev/null +++ b/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_login.k @@ -0,0 +1,417 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendLogin: + r""" + AuthBackendLogin is the Schema for the AuthBackendLogins API. Log into Vault using the AppRole auth backend. + + Attributes + ---------- + apiVersion : str, default is "approle.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendLogin", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpec, default is Undefined, required + spec + status : ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatus, default is Undefined, optional + status + """ + + + apiVersion: "approle.vault.upbound.io/v1alpha1" = "approle.vault.upbound.io/v1alpha1" + + kind: "AuthBackendLogin" = "AuthBackendLogin" + + metadata?: v1.ObjectMeta + + spec: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpec + + status?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatus + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpec: + r""" + AuthBackendLoginSpec defines the desired state of AuthBackendLogin + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecForProvider, default is Undefined, required + for provider + initProvider : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecForProvider + + initProvider?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRef + + providerRef?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRef + + publishConnectionDetailsTo?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecWriteConnectionSecretToRef + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecForProvider: + r""" + approle vault upbound io v1alpha1 auth backend login spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique path of the Vault backend to log in with. Unique name of the auth backend to configure. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleId : str, default is Undefined, optional + The ID of the role to log in with. The RoleID to log in with. + secretIdSecretRef : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecForProviderSecretIDSecretRef, default is Undefined, optional + secret Id secret ref + """ + + + backend?: str + + namespace?: str + + roleId?: str + + secretIdSecretRef?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecForProviderSecretIDSecretRef + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecForProviderSecretIDSecretRef: + r""" + The secret ID of the role to log in with. Required unless bind_secret_id is set to false on the role. The SecretID to log in with. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique path of the Vault backend to log in with. Unique name of the auth backend to configure. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleId : str, default is Undefined, optional + The ID of the role to log in with. The RoleID to log in with. + """ + + + backend?: str + + namespace?: str + + roleId?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRef + + metadata?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToMetadata + + name: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatus: + r""" + AuthBackendLoginStatus defines the observed state of AuthBackendLogin. + + Attributes + ---------- + atProvider : ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatusAtProvider, default is Undefined, optional + at provider + conditions : [ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatusAtProvider + + conditions?: [ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatusConditionsItems0] + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatusAtProvider: + r""" + approle vault upbound io v1alpha1 auth backend login status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The accessor for the token. The accessor for the token. + backend : str, default is Undefined, optional + The unique path of the Vault backend to log in with. Unique name of the auth backend to configure. + id : str, default is Undefined, optional + id + leaseDuration : float, default is Undefined, optional + How long the token is valid for, in seconds. How long the token is valid for. + leaseStarted : str, default is Undefined, optional + The date and time the lease started, in RFC 3339 format. + metadata : {str:str}, default is Undefined, optional + The metadata associated with the token. Metadata associated with the token. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + A list of policies applied to the token. Policies set on the token. + renewable : bool, default is Undefined, optional + Whether the token is renewable or not. Whether the token is renewable or not. + roleId : str, default is Undefined, optional + The ID of the role to log in with. The RoleID to log in with. + """ + + + accessor?: str + + backend?: str + + id?: str + + leaseDuration?: float + + leaseStarted?: str + + metadata?: {str:str} + + namespace?: str + + policies?: [str] + + renewable?: bool + + roleId?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendLoginStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..55e9bb86 --- /dev/null +++ b/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,535 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. Manages AppRole auth backend roles in Vault. + + Attributes + ---------- + apiVersion : str, default is "approle.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "approle.vault.upbound.io/v1alpha1" = "approle.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + approle vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the auth backend to configure. Defaults to approle. Unique name of the auth backend to configure. + bindSecretId : bool, default is Undefined, optional + Whether or not to require secret_id to be presented when logging in using this AppRole. Defaults to true. Whether or not to require secret_id to be present when logging in using this AppRole. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleId : str, default is Undefined, optional + The RoleID of this role. If not specified, one will be auto-generated. The RoleID of the role. Autogenerated if not set. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + secretIdBoundCidrs : [str], default is Undefined, optional + If set, specifies blocks of IP addresses which can perform the login operation. List of CIDR blocks that can log in using the AppRole. + secretIdNumUses : float, default is Undefined, optional + The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses. Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses. + secretIdTtl : float, default is Undefined, optional + The number of seconds after which any SecretID expires. Number of seconds a SecretID remains valid for. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + backend?: str + + bindSecretId?: bool + + namespace?: str + + roleId?: str + + roleName?: str + + secretIdBoundCidrs?: [str] + + secretIdNumUses?: float + + secretIdTtl?: float + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the auth backend to configure. Defaults to approle. Unique name of the auth backend to configure. + bindSecretId : bool, default is Undefined, optional + Whether or not to require secret_id to be presented when logging in using this AppRole. Defaults to true. Whether or not to require secret_id to be present when logging in using this AppRole. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleId : str, default is Undefined, optional + The RoleID of this role. If not specified, one will be auto-generated. The RoleID of the role. Autogenerated if not set. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + secretIdBoundCidrs : [str], default is Undefined, optional + If set, specifies blocks of IP addresses which can perform the login operation. List of CIDR blocks that can log in using the AppRole. + secretIdNumUses : float, default is Undefined, optional + The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses. Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses. + secretIdTtl : float, default is Undefined, optional + The number of seconds after which any SecretID expires. Number of seconds a SecretID remains valid for. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + backend?: str + + bindSecretId?: bool + + namespace?: str + + roleId?: str + + roleName?: str + + secretIdBoundCidrs?: [str] + + secretIdNumUses?: float + + secretIdTtl?: float + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + approle vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the auth backend to configure. Defaults to approle. Unique name of the auth backend to configure. + bindSecretId : bool, default is Undefined, optional + Whether or not to require secret_id to be presented when logging in using this AppRole. Defaults to true. Whether or not to require secret_id to be present when logging in using this AppRole. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleId : str, default is Undefined, optional + The RoleID of this role. If not specified, one will be auto-generated. The RoleID of the role. Autogenerated if not set. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + secretIdBoundCidrs : [str], default is Undefined, optional + If set, specifies blocks of IP addresses which can perform the login operation. List of CIDR blocks that can log in using the AppRole. + secretIdNumUses : float, default is Undefined, optional + The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. A value of zero will allow unlimited uses. Number of times which a particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. Leaving this unset or setting it to 0 will allow unlimited uses. + secretIdTtl : float, default is Undefined, optional + The number of seconds after which any SecretID expires. Number of seconds a SecretID remains valid for. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + backend?: str + + bindSecretId?: bool + + id?: str + + namespace?: str + + roleId?: str + + roleName?: str + + secretIdBoundCidrs?: [str] + + secretIdNumUses?: float + + secretIdTtl?: float + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_role_secret_id.k b/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_role_secret_id.k new file mode 100644 index 00000000..8977ea6b --- /dev/null +++ b/crossplane-provider-vault/approle/v1alpha1/approle_vault_upbound_io_v1alpha1_auth_backend_role_secret_id.k @@ -0,0 +1,449 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRoleSecretID: + r""" + AuthBackendRoleSecretID is the Schema for the AuthBackendRoleSecretIDs API. Manages AppRole auth backend role SecretIDs in Vault. + + Attributes + ---------- + apiVersion : str, default is "approle.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRoleSecretID", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpec, default is Undefined, required + spec + status : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatus, default is Undefined, optional + status + """ + + + apiVersion: "approle.vault.upbound.io/v1alpha1" = "approle.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRoleSecretID" = "AuthBackendRoleSecretID" + + metadata?: v1.ObjectMeta + + spec: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpec + + status?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatus + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpec: + r""" + AuthBackendRoleSecretIDSpec defines the desired state of AuthBackendRoleSecretID + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecForProvider, default is Undefined, required + for provider + initProvider : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecForProvider + + initProvider?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderConfigRef + + providerRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderRef + + publishConnectionDetailsTo?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecWriteConnectionSecretToRef + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecForProvider: + r""" + approle vault upbound io v1alpha1 auth backend role secret ID spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + cidrList : [str], default is Undefined, optional + If set, specifies blocks of IP addresses which can perform the login operation using this SecretID. List of CIDR blocks that can log in using the SecretID. + metadata : str, default is Undefined, optional + A JSON-encoded string containing metadata in key-value pairs to be set on tokens issued with this SecretID. JSON-encoded secret data to write. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleName : str, default is Undefined, optional + The name of the role to create the SecretID for. Name of the role. + secretIdSecretRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecForProviderSecretIDSecretRef, default is Undefined, optional + secret Id secret ref + withWrappedAccessor : bool, default is Undefined, optional + Set to true to use the wrapped secret-id accessor as the resource ID. If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. + wrappingTtl : str, default is Undefined, optional + If set, the SecretID response will be response-wrapped and available for the duration specified. Only a single unwrapping of the token is allowed. The TTL duration of the wrapped SecretID. + """ + + + backend?: str + + cidrList?: [str] + + metadata?: str + + namespace?: str + + roleName?: str + + secretIdSecretRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecForProviderSecretIDSecretRef + + withWrappedAccessor?: bool + + wrappingTtl?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecForProviderSecretIDSecretRef: + r""" + The SecretID to be created. If set, uses "Push" mode. Defaults to Vault auto-generating SecretIDs. The SecretID to be managed. If not specified, Vault auto-generates one. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + cidrList : [str], default is Undefined, optional + If set, specifies blocks of IP addresses which can perform the login operation using this SecretID. List of CIDR blocks that can log in using the SecretID. + metadata : str, default is Undefined, optional + A JSON-encoded string containing metadata in key-value pairs to be set on tokens issued with this SecretID. JSON-encoded secret data to write. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleName : str, default is Undefined, optional + The name of the role to create the SecretID for. Name of the role. + withWrappedAccessor : bool, default is Undefined, optional + Set to true to use the wrapped secret-id accessor as the resource ID. If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. + wrappingTtl : str, default is Undefined, optional + If set, the SecretID response will be response-wrapped and available for the duration specified. Only a single unwrapping of the token is allowed. The TTL duration of the wrapped SecretID. + """ + + + backend?: str + + cidrList?: [str] + + metadata?: str + + namespace?: str + + roleName?: str + + withWrappedAccessor?: bool + + wrappingTtl?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderConfigRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToConfigRef + + metadata?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToMetadata + + name: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToConfigRefPolicy + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatus: + r""" + AuthBackendRoleSecretIDStatus defines the observed state of AuthBackendRoleSecretID. + + Attributes + ---------- + atProvider : ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatusAtProvider, default is Undefined, optional + at provider + conditions : [ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatusAtProvider + + conditions?: [ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatusConditionsItems0] + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatusAtProvider: + r""" + approle vault upbound io v1alpha1 auth backend role secret ID status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The unique ID for this SecretID that can be safely logged. The unique ID used to access this SecretID. + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + cidrList : [str], default is Undefined, optional + If set, specifies blocks of IP addresses which can perform the login operation using this SecretID. List of CIDR blocks that can log in using the SecretID. + id : str, default is Undefined, optional + id + metadata : str, default is Undefined, optional + A JSON-encoded string containing metadata in key-value pairs to be set on tokens issued with this SecretID. JSON-encoded secret data to write. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleName : str, default is Undefined, optional + The name of the role to create the SecretID for. Name of the role. + withWrappedAccessor : bool, default is Undefined, optional + Set to true to use the wrapped secret-id accessor as the resource ID. If false (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. Use the wrapped secret-id accessor as the id of this resource. If false, a fresh secret-id will be regenerated whenever the wrapping token is expired or invalidated through unwrapping. + wrappingAccessor : str, default is Undefined, optional + The unique ID for the response-wrapped SecretID that can be safely logged. The wrapped SecretID accessor. + wrappingTtl : str, default is Undefined, optional + If set, the SecretID response will be response-wrapped and available for the duration specified. Only a single unwrapping of the token is allowed. The TTL duration of the wrapped SecretID. + """ + + + accessor?: str + + backend?: str + + cidrList?: [str] + + id?: str + + metadata?: str + + namespace?: str + + roleName?: str + + withWrappedAccessor?: bool + + wrappingAccessor?: str + + wrappingTtl?: str + + +schema ApproleVaultUpboundIoV1alpha1AuthBackendRoleSecretIDStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/audit/v1alpha1/audit_vault_upbound_io_v1alpha1_request_header.k b/crossplane-provider-vault/audit/v1alpha1/audit_vault_upbound_io_v1alpha1_request_header.k new file mode 100644 index 00000000..81594fa3 --- /dev/null +++ b/crossplane-provider-vault/audit/v1alpha1/audit_vault_upbound_io_v1alpha1_request_header.k @@ -0,0 +1,367 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema RequestHeader: + r""" + RequestHeader is the Schema for the RequestHeaders API. Manages audited request headers in Vault + + Attributes + ---------- + apiVersion : str, default is "audit.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "RequestHeader", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AuditVaultUpboundIoV1alpha1RequestHeaderSpec, default is Undefined, required + spec + status : AuditVaultUpboundIoV1alpha1RequestHeaderStatus, default is Undefined, optional + status + """ + + + apiVersion: "audit.vault.upbound.io/v1alpha1" = "audit.vault.upbound.io/v1alpha1" + + kind: "RequestHeader" = "RequestHeader" + + metadata?: v1.ObjectMeta + + spec: AuditVaultUpboundIoV1alpha1RequestHeaderSpec + + status?: AuditVaultUpboundIoV1alpha1RequestHeaderStatus + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpec: + r""" + RequestHeaderSpec defines the desired state of RequestHeader + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AuditVaultUpboundIoV1alpha1RequestHeaderSpecForProvider, default is Undefined, required + for provider + initProvider : AuditVaultUpboundIoV1alpha1RequestHeaderSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AuditVaultUpboundIoV1alpha1RequestHeaderSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AuditVaultUpboundIoV1alpha1RequestHeaderSpecForProvider + + initProvider?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderConfigRef + + providerRef?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderRef + + publishConnectionDetailsTo?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecWriteConnectionSecretToRef + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecForProvider: + r""" + audit vault upbound io v1alpha1 request header spec for provider + + Attributes + ---------- + hmac : bool, default is Undefined, optional + Whether this header's value should be HMAC'd in the audit logs. Whether this header's value should be HMAC'd in the audit logs. + name : str, default is Undefined, optional + The name of the request header to audit. The name of the request header to audit. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + """ + + + hmac?: bool + + name?: str + + namespace?: str + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + hmac : bool, default is Undefined, optional + Whether this header's value should be HMAC'd in the audit logs. Whether this header's value should be HMAC'd in the audit logs. + name : str, default is Undefined, optional + The name of the request header to audit. The name of the request header to audit. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + """ + + + hmac?: bool + + name?: str + + namespace?: str + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderConfigRefPolicy + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderRefPolicy + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToConfigRef + + metadata?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderStatus: + r""" + RequestHeaderStatus defines the observed state of RequestHeader. + + Attributes + ---------- + atProvider : AuditVaultUpboundIoV1alpha1RequestHeaderStatusAtProvider, default is Undefined, optional + at provider + conditions : [AuditVaultUpboundIoV1alpha1RequestHeaderStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AuditVaultUpboundIoV1alpha1RequestHeaderStatusAtProvider + + conditions?: [AuditVaultUpboundIoV1alpha1RequestHeaderStatusConditionsItems0] + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderStatusAtProvider: + r""" + audit vault upbound io v1alpha1 request header status at provider + + Attributes + ---------- + hmac : bool, default is Undefined, optional + Whether this header's value should be HMAC'd in the audit logs. Whether this header's value should be HMAC'd in the audit logs. + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the request header to audit. The name of the request header to audit. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + """ + + + hmac?: bool + + id?: str + + name?: str + + namespace?: str + + +schema AuditVaultUpboundIoV1alpha1RequestHeaderStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/auth/v1alpha1/auth_vault_upbound_io_v1alpha1_backend.k b/crossplane-provider-vault/auth/v1alpha1/auth_vault_upbound_io_v1alpha1_backend.k new file mode 100644 index 00000000..5a9c432b --- /dev/null +++ b/crossplane-provider-vault/auth/v1alpha1/auth_vault_upbound_io_v1alpha1_backend.k @@ -0,0 +1,545 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Backend: + r""" + Backend is the Schema for the Backends API. Managing roles in an Cert auth backend in Vault + + Attributes + ---------- + apiVersion : str, default is "auth.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Backend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AuthVaultUpboundIoV1alpha1BackendSpec, default is Undefined, required + spec + status : AuthVaultUpboundIoV1alpha1BackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "auth.vault.upbound.io/v1alpha1" = "auth.vault.upbound.io/v1alpha1" + + kind: "Backend" = "Backend" + + metadata?: v1.ObjectMeta + + spec: AuthVaultUpboundIoV1alpha1BackendSpec + + status?: AuthVaultUpboundIoV1alpha1BackendStatus + + +schema AuthVaultUpboundIoV1alpha1BackendSpec: + r""" + BackendSpec defines the desired state of Backend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AuthVaultUpboundIoV1alpha1BackendSpecForProvider, default is Undefined, required + for provider + initProvider : AuthVaultUpboundIoV1alpha1BackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AuthVaultUpboundIoV1alpha1BackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AuthVaultUpboundIoV1alpha1BackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AuthVaultUpboundIoV1alpha1BackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AuthVaultUpboundIoV1alpha1BackendSpecForProvider + + initProvider?: AuthVaultUpboundIoV1alpha1BackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AuthVaultUpboundIoV1alpha1BackendSpecProviderConfigRef + + providerRef?: AuthVaultUpboundIoV1alpha1BackendSpecProviderRef + + publishConnectionDetailsTo?: AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AuthVaultUpboundIoV1alpha1BackendSpecWriteConnectionSecretToRef + + +schema AuthVaultUpboundIoV1alpha1BackendSpecForProvider: + r""" + auth vault upbound io v1alpha1 backend spec for provider + + Attributes + ---------- + description : str, default is Undefined, optional + The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Specifies if the auth method is local only + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path to mount the backend. This defaults to the type. + tune : [AuthVaultUpboundIoV1alpha1BackendSpecForProviderTuneItems0], default is Undefined, optional + tune + $type : str, default is Undefined, optional + Name of the auth backend + """ + + + description?: str + + disableRemount?: bool + + local?: bool + + namespace?: str + + path?: str + + tune?: [AuthVaultUpboundIoV1alpha1BackendSpecForProviderTuneItems0] + + $type?: str + + +schema AuthVaultUpboundIoV1alpha1BackendSpecForProviderTuneItems0: + r""" + auth vault upbound io v1alpha1 backend spec for provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + allowed response headers + auditNonHmacRequestKeys : [str], default is Undefined, optional + audit non hmac request keys + auditNonHmacResponseKeys : [str], default is Undefined, optional + audit non hmac response keys + defaultLeaseTtl : str, default is Undefined, optional + default lease Ttl + listingVisibility : str, default is Undefined, optional + listing visibility + maxLeaseTtl : str, default is Undefined, optional + max lease Ttl + passthroughRequestHeaders : [str], default is Undefined, optional + passthrough request headers + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema AuthVaultUpboundIoV1alpha1BackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + description : str, default is Undefined, optional + The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Specifies if the auth method is local only + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path to mount the backend. This defaults to the type. + tune : [AuthVaultUpboundIoV1alpha1BackendSpecInitProviderTuneItems0], default is Undefined, optional + tune + $type : str, default is Undefined, optional + Name of the auth backend + """ + + + description?: str + + disableRemount?: bool + + local?: bool + + namespace?: str + + path?: str + + tune?: [AuthVaultUpboundIoV1alpha1BackendSpecInitProviderTuneItems0] + + $type?: str + + +schema AuthVaultUpboundIoV1alpha1BackendSpecInitProviderTuneItems0: + r""" + auth vault upbound io v1alpha1 backend spec init provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + allowed response headers + auditNonHmacRequestKeys : [str], default is Undefined, optional + audit non hmac request keys + auditNonHmacResponseKeys : [str], default is Undefined, optional + audit non hmac response keys + defaultLeaseTtl : str, default is Undefined, optional + default lease Ttl + listingVisibility : str, default is Undefined, optional + listing visibility + maxLeaseTtl : str, default is Undefined, optional + max lease Ttl + passthroughRequestHeaders : [str], default is Undefined, optional + passthrough request headers + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema AuthVaultUpboundIoV1alpha1BackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AuthVaultUpboundIoV1alpha1BackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AuthVaultUpboundIoV1alpha1BackendSpecProviderConfigRefPolicy + + +schema AuthVaultUpboundIoV1alpha1BackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AuthVaultUpboundIoV1alpha1BackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AuthVaultUpboundIoV1alpha1BackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AuthVaultUpboundIoV1alpha1BackendSpecProviderRefPolicy + + +schema AuthVaultUpboundIoV1alpha1BackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToConfigRef + + metadata?: AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AuthVaultUpboundIoV1alpha1BackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AuthVaultUpboundIoV1alpha1BackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AuthVaultUpboundIoV1alpha1BackendStatus: + r""" + BackendStatus defines the observed state of Backend. + + Attributes + ---------- + atProvider : AuthVaultUpboundIoV1alpha1BackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [AuthVaultUpboundIoV1alpha1BackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AuthVaultUpboundIoV1alpha1BackendStatusAtProvider + + conditions?: [AuthVaultUpboundIoV1alpha1BackendStatusConditionsItems0] + + +schema AuthVaultUpboundIoV1alpha1BackendStatusAtProvider: + r""" + auth vault upbound io v1alpha1 backend status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The accessor of the auth backend + description : str, default is Undefined, optional + The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + local : bool, default is Undefined, optional + Specifies if the auth method is local only + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path to mount the backend. This defaults to the type. + tune : [AuthVaultUpboundIoV1alpha1BackendStatusAtProviderTuneItems0], default is Undefined, optional + tune + $type : str, default is Undefined, optional + Name of the auth backend + """ + + + accessor?: str + + description?: str + + disableRemount?: bool + + id?: str + + local?: bool + + namespace?: str + + path?: str + + tune?: [AuthVaultUpboundIoV1alpha1BackendStatusAtProviderTuneItems0] + + $type?: str + + +schema AuthVaultUpboundIoV1alpha1BackendStatusAtProviderTuneItems0: + r""" + auth vault upbound io v1alpha1 backend status at provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + allowed response headers + auditNonHmacRequestKeys : [str], default is Undefined, optional + audit non hmac request keys + auditNonHmacResponseKeys : [str], default is Undefined, optional + audit non hmac response keys + defaultLeaseTtl : str, default is Undefined, optional + default lease Ttl + listingVisibility : str, default is Undefined, optional + listing visibility + maxLeaseTtl : str, default is Undefined, optional + max lease Ttl + passthroughRequestHeaders : [str], default is Undefined, optional + passthrough request headers + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema AuthVaultUpboundIoV1alpha1BackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_cert.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_cert.k new file mode 100644 index 00000000..649f967d --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_cert.k @@ -0,0 +1,391 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendCert: + r""" + AuthBackendCert is the Schema for the AuthBackendCerts API. Manages a certificate for an AWS Auth Backend in Vault. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendCert", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendCertSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendCertStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendCert" = "AuthBackendCert" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendCertSpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendCertStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpec: + r""" + AuthBackendCertSpec defines the desired state of AuthBackendCert + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend cert spec for provider + + Attributes + ---------- + awsPublicCert : str, default is Undefined, optional + The Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation. Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + certName : str, default is Undefined, optional + The name of the certificate. Name of the certificate to configure. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + $type : str, default is Undefined, optional + Either "pkcs7" or "identity", indicating the type of document which can be verified using the given certificate. Defaults to "pkcs7". The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity". + """ + + + awsPublicCert?: str + + backend?: str + + certName?: str + + namespace?: str + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + awsPublicCert : str, default is Undefined, optional + The Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation. Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + certName : str, default is Undefined, optional + The name of the certificate. Name of the certificate to configure. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + $type : str, default is Undefined, optional + Either "pkcs7" or "identity", indicating the type of document which can be verified using the given certificate. Defaults to "pkcs7". The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity". + """ + + + awsPublicCert?: str + + backend?: str + + certName?: str + + namespace?: str + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertStatus: + r""" + AuthBackendCertStatus defines the observed state of AuthBackendCert. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendCertStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendCertStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendCertStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendCertStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend cert status at provider + + Attributes + ---------- + awsPublicCert : str, default is Undefined, optional + The Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. You can find this key in the AWS documentation. Base64 encoded AWS Public key required to verify PKCS7 signature of the EC2 instance metadata. + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + certName : str, default is Undefined, optional + The name of the certificate. Name of the certificate to configure. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + $type : str, default is Undefined, optional + Either "pkcs7" or "identity", indicating the type of document which can be verified using the given certificate. Defaults to "pkcs7". The type of document that can be verified using the certificate. Must be either "pkcs7" or "identity". + """ + + + awsPublicCert?: str + + backend?: str + + certName?: str + + id?: str + + namespace?: str + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendCertStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_client.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_client.k new file mode 100644 index 00000000..50ad9466 --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_client.k @@ -0,0 +1,479 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendClient: + r""" + AuthBackendClient is the Schema for the AuthBackendClients API. Configures the client used by an AWS Auth Backend in Vault. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendClient", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendClientSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendClientStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendClient" = "AuthBackendClient" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendClientSpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendClientStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpec: + r""" + AuthBackendClientSpec defines the desired state of AuthBackendClient + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend client spec for provider + + Attributes + ---------- + accessKeySecretRef : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProviderAccessKeySecretRef, default is Undefined, optional + access key secret ref + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + ec2Endpoint : str, default is Undefined, optional + Override the URL Vault uses when making EC2 API calls. URL to override the default generated endpoint for making AWS EC2 API calls. + iamEndpoint : str, default is Undefined, optional + Override the URL Vault uses when making IAM API calls. URL to override the default generated endpoint for making AWS IAM API calls. + iamServerIdHeaderValue : str, default is Undefined, optional + The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + secretKeySecretRef : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProviderSecretKeySecretRef, default is Undefined, optional + secret key secret ref + stsEndpoint : str, default is Undefined, optional + Override the URL Vault uses when making STS API calls. URL to override the default generated endpoint for making AWS STS API calls. + stsRegion : str, default is Undefined, optional + Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region. Region to override the default region for making AWS STS API calls. + useStsRegionFromClient : bool, default is Undefined, optional + Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used. If set, will override sts_region and use the region from the client request's header + """ + + + accessKeySecretRef?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProviderAccessKeySecretRef + + backend?: str + + ec2Endpoint?: str + + iamEndpoint?: str + + iamServerIdHeaderValue?: str + + namespace?: str + + secretKeySecretRef?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProviderSecretKeySecretRef + + stsEndpoint?: str + + stsRegion?: str + + useStsRegionFromClient?: bool + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProviderAccessKeySecretRef: + r""" + The AWS access key that Vault should use for the auth backend. AWS Access key with permissions to query AWS APIs. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecForProviderSecretKeySecretRef: + r""" + The AWS secret key that Vault should use for the auth backend. AWS Secret key with permissions to query AWS APIs. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + ec2Endpoint : str, default is Undefined, optional + Override the URL Vault uses when making EC2 API calls. URL to override the default generated endpoint for making AWS EC2 API calls. + iamEndpoint : str, default is Undefined, optional + Override the URL Vault uses when making IAM API calls. URL to override the default generated endpoint for making AWS IAM API calls. + iamServerIdHeaderValue : str, default is Undefined, optional + The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + stsEndpoint : str, default is Undefined, optional + Override the URL Vault uses when making STS API calls. URL to override the default generated endpoint for making AWS STS API calls. + stsRegion : str, default is Undefined, optional + Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region. Region to override the default region for making AWS STS API calls. + useStsRegionFromClient : bool, default is Undefined, optional + Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used. If set, will override sts_region and use the region from the client request's header + """ + + + backend?: str + + ec2Endpoint?: str + + iamEndpoint?: str + + iamServerIdHeaderValue?: str + + namespace?: str + + stsEndpoint?: str + + stsRegion?: str + + useStsRegionFromClient?: bool + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientStatus: + r""" + AuthBackendClientStatus defines the observed state of AuthBackendClient. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendClientStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendClientStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendClientStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendClientStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend client status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + ec2Endpoint : str, default is Undefined, optional + Override the URL Vault uses when making EC2 API calls. URL to override the default generated endpoint for making AWS EC2 API calls. + iamEndpoint : str, default is Undefined, optional + Override the URL Vault uses when making IAM API calls. URL to override the default generated endpoint for making AWS IAM API calls. + iamServerIdHeaderValue : str, default is Undefined, optional + The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the IAM auth method. The value to require in the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity requests that are used in the iam auth method. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + stsEndpoint : str, default is Undefined, optional + Override the URL Vault uses when making STS API calls. URL to override the default generated endpoint for making AWS STS API calls. + stsRegion : str, default is Undefined, optional + Override the default region when making STS API calls. The sts_endpoint argument must be set when using sts_region. Region to override the default region for making AWS STS API calls. + useStsRegionFromClient : bool, default is Undefined, optional + Available in Vault v1.15+. If set, overrides both sts_endpoint and sts_region to instead use the region specified in the client request headers for IAM-based authentication. This can be useful when you have client requests coming from different regions and want flexibility in which regional STS API is used. If set, will override sts_region and use the region from the client request's header + """ + + + backend?: str + + ec2Endpoint?: str + + iamEndpoint?: str + + iamServerIdHeaderValue?: str + + id?: str + + namespace?: str + + stsEndpoint?: str + + stsRegion?: str + + useStsRegionFromClient?: bool + + +schema AwsVaultUpboundIoV1alpha1AuthBackendClientStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_config_identity.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_config_identity.k new file mode 100644 index 00000000..45639c90 --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_config_identity.k @@ -0,0 +1,403 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendConfigIdentity: + r""" + AuthBackendConfigIdentity is the Schema for the AuthBackendConfigIdentitys API. Manages AWS auth backend identity configuration in Vault. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendConfigIdentity", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendConfigIdentity" = "AuthBackendConfigIdentity" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpec: + r""" + AuthBackendConfigIdentitySpec defines the desired state of AuthBackendConfigIdentity + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend config identity spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + ec2Alias : str, default is Undefined, optional + How to generate the identity alias when using the ec2 auth method. Valid choices are role_id, instance_id, and image_id. Defaults to role_id Configures how to generate the identity alias when using the ec2 auth method. + ec2Metadata : [str], default is Undefined, optional + The metadata to include on the token returned by the login endpoint. This metadata will be added to both audit logs, and on the ec2_alias The metadata to include on the token returned by the login endpoint. + iamAlias : str, default is Undefined, optional + How to generate the identity alias when using the iam auth method. Valid choices are role_id, unique_id, and full_arn. Defaults to role_id How to generate the identity alias when using the iam auth method. + iamMetadata : [str], default is Undefined, optional + The metadata to include on the token returned by the login endpoint. This metadata will be added to both audit logs, and on the iam_alias The metadata to include on the token returned by the login endpoint. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + backend?: str + + ec2Alias?: str + + ec2Metadata?: [str] + + iamAlias?: str + + iamMetadata?: [str] + + namespace?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + ec2Alias : str, default is Undefined, optional + How to generate the identity alias when using the ec2 auth method. Valid choices are role_id, instance_id, and image_id. Defaults to role_id Configures how to generate the identity alias when using the ec2 auth method. + ec2Metadata : [str], default is Undefined, optional + The metadata to include on the token returned by the login endpoint. This metadata will be added to both audit logs, and on the ec2_alias The metadata to include on the token returned by the login endpoint. + iamAlias : str, default is Undefined, optional + How to generate the identity alias when using the iam auth method. Valid choices are role_id, unique_id, and full_arn. Defaults to role_id How to generate the identity alias when using the iam auth method. + iamMetadata : [str], default is Undefined, optional + The metadata to include on the token returned by the login endpoint. This metadata will be added to both audit logs, and on the iam_alias The metadata to include on the token returned by the login endpoint. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + backend?: str + + ec2Alias?: str + + ec2Metadata?: [str] + + iamAlias?: str + + iamMetadata?: [str] + + namespace?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentitySpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatus: + r""" + AuthBackendConfigIdentityStatus defines the observed state of AuthBackendConfigIdentity. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend config identity status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + ec2Alias : str, default is Undefined, optional + How to generate the identity alias when using the ec2 auth method. Valid choices are role_id, instance_id, and image_id. Defaults to role_id Configures how to generate the identity alias when using the ec2 auth method. + ec2Metadata : [str], default is Undefined, optional + The metadata to include on the token returned by the login endpoint. This metadata will be added to both audit logs, and on the ec2_alias The metadata to include on the token returned by the login endpoint. + iamAlias : str, default is Undefined, optional + How to generate the identity alias when using the iam auth method. Valid choices are role_id, unique_id, and full_arn. Defaults to role_id How to generate the identity alias when using the iam auth method. + iamMetadata : [str], default is Undefined, optional + The metadata to include on the token returned by the login endpoint. This metadata will be added to both audit logs, and on the iam_alias The metadata to include on the token returned by the login endpoint. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + backend?: str + + ec2Alias?: str + + ec2Metadata?: [str] + + iamAlias?: str + + iamMetadata?: [str] + + id?: str + + namespace?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendConfigIdentityStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_identity_whitelist.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_identity_whitelist.k new file mode 100644 index 00000000..4ea473e1 --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_identity_whitelist.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendIdentityWhitelist: + r""" + AuthBackendIdentityWhitelist is the Schema for the AuthBackendIdentityWhitelists API. Configures the periodic tidying operation of the whitelisted identity entries. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendIdentityWhitelist", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendIdentityWhitelist" = "AuthBackendIdentityWhitelist" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpec: + r""" + AuthBackendIdentityWhitelistSpec defines the desired state of AuthBackendIdentityWhitelist + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend identity whitelist spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path of the AWS backend being configured. Unique name of the auth backend to configure. + disablePeriodicTidy : bool, default is Undefined, optional + If set to true, disables the periodic tidying of the identity-whitelist entries. If true, disables the periodic tidying of the identiy whitelist entries. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + safetyBuffer : float, default is Undefined, optional + The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage. The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. + """ + + + backend?: str + + disablePeriodicTidy?: bool + + namespace?: str + + safetyBuffer?: float + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path of the AWS backend being configured. Unique name of the auth backend to configure. + disablePeriodicTidy : bool, default is Undefined, optional + If set to true, disables the periodic tidying of the identity-whitelist entries. If true, disables the periodic tidying of the identiy whitelist entries. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + safetyBuffer : float, default is Undefined, optional + The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage. The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. + """ + + + backend?: str + + disablePeriodicTidy?: bool + + namespace?: str + + safetyBuffer?: float + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatus: + r""" + AuthBackendIdentityWhitelistStatus defines the observed state of AuthBackendIdentityWhitelist. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend identity whitelist status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path of the AWS backend being configured. Unique name of the auth backend to configure. + disablePeriodicTidy : bool, default is Undefined, optional + If set to true, disables the periodic tidying of the identity-whitelist entries. If true, disables the periodic tidying of the identiy whitelist entries. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + safetyBuffer : float, default is Undefined, optional + The amount of extra time, in minutes, that must have passed beyond the roletag expiration, before it is removed from the backend storage. The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. + """ + + + backend?: str + + disablePeriodicTidy?: bool + + id?: str + + namespace?: str + + safetyBuffer?: float + + +schema AwsVaultUpboundIoV1alpha1AuthBackendIdentityWhitelistStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_login.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_login.k new file mode 100644 index 00000000..b2e1c1a3 --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_login.k @@ -0,0 +1,491 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendLogin: + r""" + AuthBackendLogin is the Schema for the AuthBackendLogins API. Manages Vault tokens acquired using the AWS auth backend. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendLogin", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendLoginStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendLogin" = "AuthBackendLogin" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendLoginStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpec: + r""" + AuthBackendLoginSpec defines the desired state of AuthBackendLogin + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend login spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the AWS auth backend. Defaults to 'aws'. AWS Auth Backend to read the token from. + iamHttpRequestMethod : str, default is Undefined, optional + The HTTP method used in the signed IAM request. The HTTP method used in the signed request. + iamRequestBody : str, default is Undefined, optional + The base64-encoded body of the signed request. The Base64-encoded body of the signed request. + iamRequestHeaders : str, default is Undefined, optional + The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers. The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers. + iamRequestUrl : str, default is Undefined, optional + The base64-encoded HTTP URL used in the signed request. The Base64-encoded HTTP URL used in the signed request. + identity : str, default is Undefined, optional + The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server. Base64-encoded EC2 instance identity document to authenticate with. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + nonce : str, default is Undefined, optional + The unique nonce to be used for login requests. Can be set to a user-specified value, or will contain the server-generated value once a token is issued. EC2 instances can only acquire a single token until the whitelist is tidied again unless they keep track of this nonce. The nonce to be used for subsequent login requests. + pkcs7 : str, default is Undefined, optional + The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server. PKCS7 signature of the identity document to authenticate with, with all newline characters removed. + role : str, default is Undefined, optional + The name of the AWS auth backend role to create tokens against. AWS Auth Role to read the token from. + signature : str, default is Undefined, optional + The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server. Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with. + """ + + + backend?: str + + iamHttpRequestMethod?: str + + iamRequestBody?: str + + iamRequestHeaders?: str + + iamRequestUrl?: str + + identity?: str + + namespace?: str + + nonce?: str + + pkcs7?: str + + role?: str + + signature?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the AWS auth backend. Defaults to 'aws'. AWS Auth Backend to read the token from. + iamHttpRequestMethod : str, default is Undefined, optional + The HTTP method used in the signed IAM request. The HTTP method used in the signed request. + iamRequestBody : str, default is Undefined, optional + The base64-encoded body of the signed request. The Base64-encoded body of the signed request. + iamRequestHeaders : str, default is Undefined, optional + The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers. The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers. + iamRequestUrl : str, default is Undefined, optional + The base64-encoded HTTP URL used in the signed request. The Base64-encoded HTTP URL used in the signed request. + identity : str, default is Undefined, optional + The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server. Base64-encoded EC2 instance identity document to authenticate with. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + nonce : str, default is Undefined, optional + The unique nonce to be used for login requests. Can be set to a user-specified value, or will contain the server-generated value once a token is issued. EC2 instances can only acquire a single token until the whitelist is tidied again unless they keep track of this nonce. The nonce to be used for subsequent login requests. + pkcs7 : str, default is Undefined, optional + The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server. PKCS7 signature of the identity document to authenticate with, with all newline characters removed. + role : str, default is Undefined, optional + The name of the AWS auth backend role to create tokens against. AWS Auth Role to read the token from. + signature : str, default is Undefined, optional + The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server. Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with. + """ + + + backend?: str + + iamHttpRequestMethod?: str + + iamRequestBody?: str + + iamRequestHeaders?: str + + iamRequestUrl?: str + + identity?: str + + namespace?: str + + nonce?: str + + pkcs7?: str + + role?: str + + signature?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginStatus: + r""" + AuthBackendLoginStatus defines the observed state of AuthBackendLogin. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendLoginStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendLoginStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendLoginStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendLoginStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend login status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The token's accessor. The accessor returned from Vault for this token. + authType : str, default is Undefined, optional + The authentication type used to generate this token. The auth method used to generate this token. + backend : str, default is Undefined, optional + The unique name of the AWS auth backend. Defaults to 'aws'. AWS Auth Backend to read the token from. + iamHttpRequestMethod : str, default is Undefined, optional + The HTTP method used in the signed IAM request. The HTTP method used in the signed request. + iamRequestBody : str, default is Undefined, optional + The base64-encoded body of the signed request. The Base64-encoded body of the signed request. + iamRequestHeaders : str, default is Undefined, optional + The base64-encoded, JSON serialized representation of the GetCallerIdentity HTTP request headers. The Base64-encoded, JSON serialized representation of the sts:GetCallerIdentity HTTP request headers. + iamRequestUrl : str, default is Undefined, optional + The base64-encoded HTTP URL used in the signed request. The Base64-encoded HTTP URL used in the signed request. + id : str, default is Undefined, optional + id + identity : str, default is Undefined, optional + The base64-encoded EC2 instance identity document to authenticate with. Can be retrieved from the EC2 metadata server. Base64-encoded EC2 instance identity document to authenticate with. + leaseDuration : float, default is Undefined, optional + The duration in seconds the token will be valid, relative to the time in lease_start_time. Lease duration in seconds relative to the time in lease_start_time. + leaseStartTime : str, default is Undefined, optional + the approximate time at which the token was created, using the clock of the system where Upbound official provider was running. time at which the lease was read, using the clock of the system where Upbound official provider was running + metadata : {str:str}, default is Undefined, optional + A map of information returned by the Vault server about the authentication used to generate this token. The metadata reported by the Vault server. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + nonce : str, default is Undefined, optional + The unique nonce to be used for login requests. Can be set to a user-specified value, or will contain the server-generated value once a token is issued. EC2 instances can only acquire a single token until the whitelist is tidied again unless they keep track of this nonce. The nonce to be used for subsequent login requests. + pkcs7 : str, default is Undefined, optional + The PKCS#7 signature of the identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server. PKCS7 signature of the identity document to authenticate with, with all newline characters removed. + policies : [str], default is Undefined, optional + The Vault policies assigned to this token. The policies assigned to this token. + renewable : bool, default is Undefined, optional + Set to true if the token can be extended through renewal. True if the duration of this lease can be extended through renewal. + role : str, default is Undefined, optional + The name of the AWS auth backend role to create tokens against. AWS Auth Role to read the token from. + signature : str, default is Undefined, optional + The base64-encoded SHA256 RSA signature of the instance identity document to authenticate with, with all newline characters removed. Can be retrieved from the EC2 metadata server. Base64-encoded SHA256 RSA signature of the instance identtiy document to authenticate with. + """ + + + accessor?: str + + authType?: str + + backend?: str + + iamHttpRequestMethod?: str + + iamRequestBody?: str + + iamRequestHeaders?: str + + iamRequestUrl?: str + + id?: str + + identity?: str + + leaseDuration?: float + + leaseStartTime?: str + + metadata?: {str:str} + + namespace?: str + + nonce?: str + + pkcs7?: str + + policies?: [str] + + renewable?: bool + + role?: str + + signature?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendLoginStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..e125f49f --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,671 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. Manages AWS auth backend roles in Vault. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + allowInstanceMigration : bool, default is Undefined, optional + If set to true, allows migration of the underlying instance where the client resides. When true, allows migration of the underlying instance where the client resides. Use with caution. + authType : str, default is Undefined, optional + The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam. The auth type permitted for this role. + backend : str, default is Undefined, optional + Path to the mounted aws auth backend. Unique name of the auth backend to configure. + boundAccountIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances with this account ID in their identity document will be permitted to log in. + boundAmiIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances using this AMI ID will be permitted to log in. + boundEc2InstanceIds : [str], default is Undefined, optional + Only EC2 instances that match this instance ID will be permitted to log in. + boundIamInstanceProfileArns : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + boundIamPrincipalArns : [str], default is Undefined, optional + If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN. The IAM principal that must be authenticated using the iam auth method. + boundIamRoleArns : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances that match this IAM role ARN will be permitted to log in. + boundRegions : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances in this region will be permitted to log in. + boundSubnetIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with this subnet ID will be permitted to log in. + boundVpcIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with this VPC ID will be permitted to log in. + disallowReauthentication : bool, default is Undefined, optional + IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2. When true, only allows a single token to be granted per instance ID. + inferredAwsRegion : str, default is Undefined, optional + When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam. The region to search for the inferred entities in. + inferredEntityType : str, default is Undefined, optional + If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam. The type of inferencing Vault should do. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + resolveAwsUniqueIds : bool, default is Undefined, optional + Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role. Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + role : str, default is Undefined, optional + The name of the role. Name of the role. + roleTag : str, default is Undefined, optional + If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. The key of the tag on EC2 instance to use for role tags. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + allowInstanceMigration?: bool + + authType?: str + + backend?: str + + boundAccountIds?: [str] + + boundAmiIds?: [str] + + boundEc2InstanceIds?: [str] + + boundIamInstanceProfileArns?: [str] + + boundIamPrincipalArns?: [str] + + boundIamRoleArns?: [str] + + boundRegions?: [str] + + boundSubnetIds?: [str] + + boundVpcIds?: [str] + + disallowReauthentication?: bool + + inferredAwsRegion?: str + + inferredEntityType?: str + + namespace?: str + + resolveAwsUniqueIds?: bool + + role?: str + + roleTag?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowInstanceMigration : bool, default is Undefined, optional + If set to true, allows migration of the underlying instance where the client resides. When true, allows migration of the underlying instance where the client resides. Use with caution. + authType : str, default is Undefined, optional + The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam. The auth type permitted for this role. + backend : str, default is Undefined, optional + Path to the mounted aws auth backend. Unique name of the auth backend to configure. + boundAccountIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances with this account ID in their identity document will be permitted to log in. + boundAmiIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances using this AMI ID will be permitted to log in. + boundEc2InstanceIds : [str], default is Undefined, optional + Only EC2 instances that match this instance ID will be permitted to log in. + boundIamInstanceProfileArns : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + boundIamPrincipalArns : [str], default is Undefined, optional + If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN. The IAM principal that must be authenticated using the iam auth method. + boundIamRoleArns : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances that match this IAM role ARN will be permitted to log in. + boundRegions : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances in this region will be permitted to log in. + boundSubnetIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with this subnet ID will be permitted to log in. + boundVpcIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with this VPC ID will be permitted to log in. + disallowReauthentication : bool, default is Undefined, optional + IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2. When true, only allows a single token to be granted per instance ID. + inferredAwsRegion : str, default is Undefined, optional + When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam. The region to search for the inferred entities in. + inferredEntityType : str, default is Undefined, optional + If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam. The type of inferencing Vault should do. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + resolveAwsUniqueIds : bool, default is Undefined, optional + Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role. Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + role : str, default is Undefined, optional + The name of the role. Name of the role. + roleTag : str, default is Undefined, optional + If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. The key of the tag on EC2 instance to use for role tags. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + allowInstanceMigration?: bool + + authType?: str + + backend?: str + + boundAccountIds?: [str] + + boundAmiIds?: [str] + + boundEc2InstanceIds?: [str] + + boundIamInstanceProfileArns?: [str] + + boundIamPrincipalArns?: [str] + + boundIamRoleArns?: [str] + + boundRegions?: [str] + + boundSubnetIds?: [str] + + boundVpcIds?: [str] + + disallowReauthentication?: bool + + inferredAwsRegion?: str + + inferredEntityType?: str + + namespace?: str + + resolveAwsUniqueIds?: bool + + role?: str + + roleTag?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + allowInstanceMigration : bool, default is Undefined, optional + If set to true, allows migration of the underlying instance where the client resides. When true, allows migration of the underlying instance where the client resides. Use with caution. + authType : str, default is Undefined, optional + The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam. The auth type permitted for this role. + backend : str, default is Undefined, optional + Path to the mounted aws auth backend. Unique name of the auth backend to configure. + boundAccountIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances with this account ID in their identity document will be permitted to log in. + boundAmiIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances using this AMI ID will be permitted to log in. + boundEc2InstanceIds : [str], default is Undefined, optional + Only EC2 instances that match this instance ID will be permitted to log in. + boundIamInstanceProfileArns : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with an IAM instance profile ARN that matches this value will be permitted to log in. + boundIamPrincipalArns : [str], default is Undefined, optional + If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN. The IAM principal that must be authenticated using the iam auth method. + boundIamRoleArns : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances that match this IAM role ARN will be permitted to log in. + boundRegions : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances in this region will be permitted to log in. + boundSubnetIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with this subnet ID will be permitted to log in. + boundVpcIds : [str], default is Undefined, optional + If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. Only EC2 instances associated with this VPC ID will be permitted to log in. + disallowReauthentication : bool, default is Undefined, optional + IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2. When true, only allows a single token to be granted per instance ID. + id : str, default is Undefined, optional + id + inferredAwsRegion : str, default is Undefined, optional + When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam. The region to search for the inferred entities in. + inferredEntityType : str, default is Undefined, optional + If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam. The type of inferencing Vault should do. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + resolveAwsUniqueIds : bool, default is Undefined, optional + Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role. Whether or not Vault should resolve the bound_iam_principal_arn to an AWS Unique ID. When true, deleting a principal and recreating it with the same name won't automatically grant the new principal the same roles in Vault that the old principal had. + role : str, default is Undefined, optional + The name of the role. Name of the role. + roleId : str, default is Undefined, optional + The Vault generated role ID. The Vault generated role ID. + roleTag : str, default is Undefined, optional + If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint. The key of the tag on EC2 instance to use for role tags. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + allowInstanceMigration?: bool + + authType?: str + + backend?: str + + boundAccountIds?: [str] + + boundAmiIds?: [str] + + boundEc2InstanceIds?: [str] + + boundIamInstanceProfileArns?: [str] + + boundIamPrincipalArns?: [str] + + boundIamRoleArns?: [str] + + boundRegions?: [str] + + boundSubnetIds?: [str] + + boundVpcIds?: [str] + + disallowReauthentication?: bool + + id?: str + + inferredAwsRegion?: str + + inferredEntityType?: str + + namespace?: str + + resolveAwsUniqueIds?: bool + + role?: str + + roleId?: str + + roleTag?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_role_tag.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_role_tag.k new file mode 100644 index 00000000..2a87abcb --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_role_tag.k @@ -0,0 +1,435 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRoleTag: + r""" + AuthBackendRoleTag is the Schema for the AuthBackendRoleTags API. Reads role tags from a Vault AWS auth backend. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRoleTag", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRoleTag" = "AuthBackendRoleTag" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpec: + r""" + AuthBackendRoleTagSpec defines the desired state of AuthBackendRoleTag + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend role tag spec for provider + + Attributes + ---------- + allowInstanceMigration : bool, default is Undefined, optional + If set, allows migration of the underlying instances where the client resides. Use with caution. Allows migration of the underlying instance where the client resides. + backend : str, default is Undefined, optional + The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to "aws". AWS auth backend to read tags from. + disallowReauthentication : bool, default is Undefined, optional + If set, only allows a single token to be granted per instance ID. Only allow a single token to be granted per instance ID. + instanceId : str, default is Undefined, optional + Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID. Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID. + maxTtl : str, default is Undefined, optional + The maximum TTL of the tokens issued using this role. The maximum allowed lifetime of tokens issued using this role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + The policies to be associated with the tag. Must be a subset of the policies associated with the role. Policies to be associated with the tag. + role : str, default is Undefined, optional + The name of the AWS auth backend role to read role tags from, with no leading or trailing /s. Name of the role. + """ + + + allowInstanceMigration?: bool + + backend?: str + + disallowReauthentication?: bool + + instanceId?: str + + maxTtl?: str + + namespace?: str + + policies?: [str] + + role?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowInstanceMigration : bool, default is Undefined, optional + If set, allows migration of the underlying instances where the client resides. Use with caution. Allows migration of the underlying instance where the client resides. + backend : str, default is Undefined, optional + The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to "aws". AWS auth backend to read tags from. + disallowReauthentication : bool, default is Undefined, optional + If set, only allows a single token to be granted per instance ID. Only allow a single token to be granted per instance ID. + instanceId : str, default is Undefined, optional + Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID. Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID. + maxTtl : str, default is Undefined, optional + The maximum TTL of the tokens issued using this role. The maximum allowed lifetime of tokens issued using this role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + The policies to be associated with the tag. Must be a subset of the policies associated with the role. Policies to be associated with the tag. + role : str, default is Undefined, optional + The name of the AWS auth backend role to read role tags from, with no leading or trailing /s. Name of the role. + """ + + + allowInstanceMigration?: bool + + backend?: str + + disallowReauthentication?: bool + + instanceId?: str + + maxTtl?: str + + namespace?: str + + policies?: [str] + + role?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatus: + r""" + AuthBackendRoleTagStatus defines the observed state of AuthBackendRoleTag. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend role tag status at provider + + Attributes + ---------- + allowInstanceMigration : bool, default is Undefined, optional + If set, allows migration of the underlying instances where the client resides. Use with caution. Allows migration of the underlying instance where the client resides. + backend : str, default is Undefined, optional + The path to the AWS auth backend to read role tags from, with no leading or trailing /s. Defaults to "aws". AWS auth backend to read tags from. + disallowReauthentication : bool, default is Undefined, optional + If set, only allows a single token to be granted per instance ID. Only allow a single token to be granted per instance ID. + id : str, default is Undefined, optional + id + instanceId : str, default is Undefined, optional + Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID. Instance ID for which this tag is intended. The created tag can only be used by the instance with the given ID. + maxTtl : str, default is Undefined, optional + The maximum TTL of the tokens issued using this role. The maximum allowed lifetime of tokens issued using this role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + The policies to be associated with the tag. Must be a subset of the policies associated with the role. Policies to be associated with the tag. + role : str, default is Undefined, optional + The name of the AWS auth backend role to read role tags from, with no leading or trailing /s. Name of the role. + tagKey : str, default is Undefined, optional + The key of the role tag. + tagValue : str, default is Undefined, optional + The value to set the role key. + """ + + + allowInstanceMigration?: bool + + backend?: str + + disallowReauthentication?: bool + + id?: str + + instanceId?: str + + maxTtl?: str + + namespace?: str + + policies?: [str] + + role?: str + + tagKey?: str + + tagValue?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoleTagStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_roletag_blacklist.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_roletag_blacklist.k new file mode 100644 index 00000000..06ccc674 --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_roletag_blacklist.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRoletagBlacklist: + r""" + AuthBackendRoletagBlacklist is the Schema for the AuthBackendRoletagBlacklists API. Configures the periodic tidying operation of the blacklisted role tag entries. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRoletagBlacklist", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRoletagBlacklist" = "AuthBackendRoletagBlacklist" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpec: + r""" + AuthBackendRoletagBlacklistSpec defines the desired state of AuthBackendRoletagBlacklist + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend roletag blacklist spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Unique name of the auth backend to configure. + disablePeriodicTidy : bool, default is Undefined, optional + If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false. If true, disables the periodic tidying of the roletag blacklist entries. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + safetyBuffer : float, default is Undefined, optional + The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours. The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. + """ + + + backend?: str + + disablePeriodicTidy?: bool + + namespace?: str + + safetyBuffer?: float + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Unique name of the auth backend to configure. + disablePeriodicTidy : bool, default is Undefined, optional + If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false. If true, disables the periodic tidying of the roletag blacklist entries. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + safetyBuffer : float, default is Undefined, optional + The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours. The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. + """ + + + backend?: str + + disablePeriodicTidy?: bool + + namespace?: str + + safetyBuffer?: float + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatus: + r""" + AuthBackendRoletagBlacklistStatus defines the observed state of AuthBackendRoletagBlacklist. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend roletag blacklist status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Unique name of the auth backend to configure. + disablePeriodicTidy : bool, default is Undefined, optional + If set to true, disables the periodic tidying of the roletag blacklist entries. Defaults to false. If true, disables the periodic tidying of the roletag blacklist entries. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + safetyBuffer : float, default is Undefined, optional + The amount of extra time that must have passed beyond the roletag expiration, before it is removed from the backend storage. Defaults to 259,200 seconds, or 72 hours. The amount of extra time that must have passed beyond the roletag expiration, before it's removed from backend storage. + """ + + + backend?: str + + disablePeriodicTidy?: bool + + id?: str + + namespace?: str + + safetyBuffer?: float + + +schema AwsVaultUpboundIoV1alpha1AuthBackendRoletagBlacklistStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_sts_role.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_sts_role.k new file mode 100644 index 00000000..23b995de --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_auth_backend_sts_role.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendStsRole: + r""" + AuthBackendStsRole is the Schema for the AuthBackendStsRoles API. Configures an STS role in the Vault AWS Auth backend. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendStsRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "AuthBackendStsRole" = "AuthBackendStsRole" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpec + + status?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatus + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpec: + r""" + AuthBackendStsRoleSpec defines the desired state of AuthBackendStsRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecForProvider: + r""" + aws vault upbound io v1alpha1 auth backend sts role spec for provider + + Attributes + ---------- + accountId : str, default is Undefined, optional + The AWS account ID to configure the STS role for. AWS account ID to be associated with STS role. + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + stsRole : str, default is Undefined, optional + The STS role to assume when verifying requests made by EC2 instances in the account specified by account_id. AWS ARN for STS role to be assumed when interacting with the account specified. + """ + + + accountId?: str + + backend?: str + + namespace?: str + + stsRole?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + accountId : str, default is Undefined, optional + The AWS account ID to configure the STS role for. AWS account ID to be associated with STS role. + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + stsRole : str, default is Undefined, optional + The STS role to assume when verifying requests made by EC2 instances in the account specified by account_id. AWS ARN for STS role to be assumed when interacting with the account specified. + """ + + + accountId?: str + + backend?: str + + namespace?: str + + stsRole?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatus: + r""" + AuthBackendStsRoleStatus defines the observed state of AuthBackendStsRole. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatusAtProvider: + r""" + aws vault upbound io v1alpha1 auth backend sts role status at provider + + Attributes + ---------- + accountId : str, default is Undefined, optional + The AWS account ID to configure the STS role for. AWS account ID to be associated with STS role. + backend : str, default is Undefined, optional + The path the AWS auth backend being configured was mounted at. Defaults to aws. Unique name of the auth backend to configure. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + stsRole : str, default is Undefined, optional + The STS role to assume when verifying requests made by EC2 instances in the account specified by account_id. AWS ARN for STS role to be assumed when interacting with the account specified. + """ + + + accountId?: str + + backend?: str + + id?: str + + namespace?: str + + stsRole?: str + + +schema AwsVaultUpboundIoV1alpha1AuthBackendStsRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..b86055d5 --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,563 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates an AWS secret backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1SecretBackendSpec + + status?: AwsVaultUpboundIoV1alpha1SecretBackendStatus + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + aws vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + accessKeySecretRef : AwsVaultUpboundIoV1alpha1SecretBackendSpecForProviderAccessKeySecretRef, default is Undefined, optional + access key secret ref + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + iamEndpoint : str, default is Undefined, optional + Specifies a custom HTTP IAM endpoint to use. Specifies a custom HTTP IAM endpoint to use. + identityTokenAudience : str, default is Undefined, optional + The audience claim value. Requires Vault 1.16+. The audience claim value. + identityTokenKey : str, default is Undefined, optional + The key to use for signing identity tokens. Requires Vault 1.16+. The key to use for signing identity tokens. + identityTokenTtl : float, default is Undefined, optional + The TTL of generated identity tokens in seconds. Requires Vault 1.16+. The TTL of generated identity tokens in seconds. + local : bool, default is Undefined, optional + Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. Specifies if the secret backend is local only + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws. Path to mount the backend at. + region : str, default is Undefined, optional + The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. + roleArn : str, default is Undefined, optional + Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. Role ARN to assume for plugin identity token federation. + secretKeySecretRef : AwsVaultUpboundIoV1alpha1SecretBackendSpecForProviderSecretKeySecretRef, default is Undefined, optional + secret key secret ref + stsEndpoint : str, default is Undefined, optional + Specifies a custom HTTP STS endpoint to use. Specifies a custom HTTP STS endpoint to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: Template describing how dynamic usernames are generated. + """ + + + accessKeySecretRef?: AwsVaultUpboundIoV1alpha1SecretBackendSpecForProviderAccessKeySecretRef + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + iamEndpoint?: str + + identityTokenAudience?: str + + identityTokenKey?: str + + identityTokenTtl?: float + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + region?: str + + roleArn?: str + + secretKeySecretRef?: AwsVaultUpboundIoV1alpha1SecretBackendSpecForProviderSecretKeySecretRef + + stsEndpoint?: str + + usernameTemplate?: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecForProviderAccessKeySecretRef: + r""" + The AWS Access Key ID this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. The AWS Access Key ID to use when generating new credentials. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecForProviderSecretKeySecretRef: + r""" + The AWS Secret Key this backend should use to issue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials. The AWS Secret Access Key to use when generating new credentials. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + iamEndpoint : str, default is Undefined, optional + Specifies a custom HTTP IAM endpoint to use. Specifies a custom HTTP IAM endpoint to use. + identityTokenAudience : str, default is Undefined, optional + The audience claim value. Requires Vault 1.16+. The audience claim value. + identityTokenKey : str, default is Undefined, optional + The key to use for signing identity tokens. Requires Vault 1.16+. The key to use for signing identity tokens. + identityTokenTtl : float, default is Undefined, optional + The TTL of generated identity tokens in seconds. Requires Vault 1.16+. The TTL of generated identity tokens in seconds. + local : bool, default is Undefined, optional + Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. Specifies if the secret backend is local only + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws. Path to mount the backend at. + region : str, default is Undefined, optional + The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. + roleArn : str, default is Undefined, optional + Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. Role ARN to assume for plugin identity token federation. + stsEndpoint : str, default is Undefined, optional + Specifies a custom HTTP STS endpoint to use. Specifies a custom HTTP STS endpoint to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: Template describing how dynamic usernames are generated. + """ + + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + iamEndpoint?: str + + identityTokenAudience?: str + + identityTokenKey?: str + + identityTokenTtl?: float + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + region?: str + + roleArn?: str + + stsEndpoint?: str + + usernameTemplate?: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + aws vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + iamEndpoint : str, default is Undefined, optional + Specifies a custom HTTP IAM endpoint to use. Specifies a custom HTTP IAM endpoint to use. + id : str, default is Undefined, optional + id + identityTokenAudience : str, default is Undefined, optional + The audience claim value. Requires Vault 1.16+. The audience claim value. + identityTokenKey : str, default is Undefined, optional + The key to use for signing identity tokens. Requires Vault 1.16+. The key to use for signing identity tokens. + identityTokenTtl : float, default is Undefined, optional + The TTL of generated identity tokens in seconds. Requires Vault 1.16+. The TTL of generated identity tokens in seconds. + local : bool, default is Undefined, optional + Specifies whether the secrets mount will be marked as local. Local mounts are not replicated to performance replicas. Specifies if the secret backend is local only + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to aws. Path to mount the backend at. + region : str, default is Undefined, optional + The AWS region for API calls. Defaults to us-east-1. The AWS region to make API calls against. Defaults to us-east-1. + roleArn : str, default is Undefined, optional + Role ARN to assume for plugin identity token federation. Requires Vault 1.16+. Role ARN to assume for plugin identity token federation. + stsEndpoint : str, default is Undefined, optional + Specifies a custom HTTP STS endpoint to use. Specifies a custom HTTP STS endpoint to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template: Template describing how dynamic usernames are generated. + """ + + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + iamEndpoint?: str + + id?: str + + identityTokenAudience?: str + + identityTokenKey?: str + + identityTokenTtl?: float + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + region?: str + + roleArn?: str + + stsEndpoint?: str + + usernameTemplate?: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_secret_backend_role.k b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_secret_backend_role.k new file mode 100644 index 00000000..f3eb6225 --- /dev/null +++ b/crossplane-provider-vault/aws/v1alpha1/aws_vault_upbound_io_v1alpha1_secret_backend_role.k @@ -0,0 +1,475 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRole: + r""" + SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role on an AWS Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "aws.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpec, default is Undefined, required + spec + status : AwsVaultUpboundIoV1alpha1SecretBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "aws.vault.upbound.io/v1alpha1" = "aws.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRole" = "SecretBackendRole" + + metadata?: v1.ObjectMeta + + spec: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpec + + status?: AwsVaultUpboundIoV1alpha1SecretBackendRoleStatus + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpec: + r""" + SecretBackendRoleSpec defines the desired state of SecretBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider + + initProvider?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef + + providerRef?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider: + r""" + aws vault upbound io v1alpha1 secret backend role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AWS secret backend is mounted at, with no leading or trailing /s. The path of the AWS Secret Backend the role belongs to. + credentialType : str, default is Undefined, optional + Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token. Role credential type. + defaultStsTtl : float, default is Undefined, optional + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. + iamGroups : [str], default is Undefined, optional + A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + maxStsTtl : float, default is Undefined, optional + The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + permissionsBoundaryArn : str, default is Undefined, optional + The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. + policyArns : [str], default is Undefined, optional + Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified. ARN for an existing IAM policy the role should use. + policyDocument : str, default is Undefined, optional + The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns. IAM policy the role should use in JSON format. + roleArns : [str], default is Undefined, optional + Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise. ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' + userPath : str, default is Undefined, optional + The path for the user name. Valid only when credential_type is iam_user. Default is /. The path for the user name. Valid only when credential_type is iam_user. Default is / + """ + + + backend?: str + + credentialType?: str + + defaultStsTtl?: float + + iamGroups?: [str] + + maxStsTtl?: float + + name?: str + + namespace?: str + + permissionsBoundaryArn?: str + + policyArns?: [str] + + policyDocument?: str + + roleArns?: [str] + + userPath?: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AWS secret backend is mounted at, with no leading or trailing /s. The path of the AWS Secret Backend the role belongs to. + credentialType : str, default is Undefined, optional + Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token. Role credential type. + defaultStsTtl : float, default is Undefined, optional + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. + iamGroups : [str], default is Undefined, optional + A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + maxStsTtl : float, default is Undefined, optional + The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + permissionsBoundaryArn : str, default is Undefined, optional + The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. + policyArns : [str], default is Undefined, optional + Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified. ARN for an existing IAM policy the role should use. + policyDocument : str, default is Undefined, optional + The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns. IAM policy the role should use in JSON format. + roleArns : [str], default is Undefined, optional + Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise. ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' + userPath : str, default is Undefined, optional + The path for the user name. Valid only when credential_type is iam_user. Default is /. The path for the user name. Valid only when credential_type is iam_user. Default is / + """ + + + backend?: str + + credentialType?: str + + defaultStsTtl?: float + + iamGroups?: [str] + + maxStsTtl?: float + + name?: str + + namespace?: str + + permissionsBoundaryArn?: str + + policyArns?: [str] + + policyDocument?: str + + roleArns?: [str] + + userPath?: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleStatus: + r""" + SecretBackendRoleStatus defines the observed state of SecretBackendRole. + + Attributes + ---------- + atProvider : AwsVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [AwsVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AwsVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider + + conditions?: [AwsVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0] + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider: + r""" + aws vault upbound io v1alpha1 secret backend role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the AWS secret backend is mounted at, with no leading or trailing /s. The path of the AWS Secret Backend the role belongs to. + credentialType : str, default is Undefined, optional + Specifies the type of credential to be used when retrieving credentials from the role. Must be one of iam_user, assumed_role, or federation_token. Role credential type. + defaultStsTtl : float, default is Undefined, optional + The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. The default TTL in seconds for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when credential_type is one of assumed_role or federation_token. + iamGroups : [str], default is Undefined, optional + A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. A list of IAM group names. IAM users generated against this vault role will be added to these IAM Groups. For a credential type of assumed_role or federation_token, the policies sent to the corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the policies from each group in iam_groups combined with the policy_document and policy_arns parameters. + id : str, default is Undefined, optional + id + maxStsTtl : float, default is Undefined, optional + The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. The max allowed TTL in seconds for STS credentials (credentials TTL are capped to max_sts_ttl). Valid only when credential_type is one of assumed_role or federation_token. + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + permissionsBoundaryArn : str, default is Undefined, optional + The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. The ARN of the AWS Permissions Boundary to attach to IAM users created in the role. Valid only when credential_type is iam_user. If not specified, then no permissions boundary policy will be attached. + policyArns : [str], default is Undefined, optional + Specifies a list of AWS managed policy ARNs. The behavior depends on the credential type. With iam_user, the policies will be attached to IAM users when they are requested. With assumed_role and federation_token, the policy ARNs will act as a filter on what the credentials can do, similar to policy_document. When credential_type is iam_user or federation_token, at least one of policy_document or policy_arns must be specified. ARN for an existing IAM policy the role should use. + policyDocument : str, default is Undefined, optional + The IAM policy document for the role. The behavior depends on the credential type. With iam_user, the policy document will be attached to the IAM user generated and augment the permissions the IAM user has. With assumed_role and federation_token, the policy document will act as a filter on what the credentials can do, similar to policy_arns. IAM policy the role should use in JSON format. + roleArns : [str], default is Undefined, optional + Specifies the ARNs of the AWS roles this Vault role is allowed to assume. Required when credential_type is assumed_role and prohibited otherwise. ARNs of AWS roles allowed to be assumed. Only valid when credential_type is 'assumed_role' + userPath : str, default is Undefined, optional + The path for the user name. Valid only when credential_type is iam_user. Default is /. The path for the user name. Valid only when credential_type is iam_user. Default is / + """ + + + backend?: str + + credentialType?: str + + defaultStsTtl?: float + + iamGroups?: [str] + + id?: str + + maxStsTtl?: float + + name?: str + + namespace?: str + + permissionsBoundaryArn?: str + + policyArns?: [str] + + policyDocument?: str + + roleArns?: [str] + + userPath?: str + + +schema AwsVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_auth_backend_config.k b/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_auth_backend_config.k new file mode 100644 index 00000000..cd8cf25e --- /dev/null +++ b/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_auth_backend_config.k @@ -0,0 +1,457 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendConfig: + r""" + AuthBackendConfig is the Schema for the AuthBackendConfigs API. Configures the Azure Auth Backend in Vault. + + Attributes + ---------- + apiVersion : str, default is "azure.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendConfig", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpec, default is Undefined, required + spec + status : AzureVaultUpboundIoV1alpha1AuthBackendConfigStatus, default is Undefined, optional + status + """ + + + apiVersion: "azure.vault.upbound.io/v1alpha1" = "azure.vault.upbound.io/v1alpha1" + + kind: "AuthBackendConfig" = "AuthBackendConfig" + + metadata?: v1.ObjectMeta + + spec: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpec + + status?: AzureVaultUpboundIoV1alpha1AuthBackendConfigStatus + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpec: + r""" + AuthBackendConfigSpec defines the desired state of AuthBackendConfig + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProvider, default is Undefined, required + for provider + initProvider : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProvider + + initProvider?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRef + + providerRef?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRef + + publishConnectionDetailsTo?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecWriteConnectionSecretToRef + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProvider: + r""" + azure vault upbound io v1alpha1 auth backend config spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the Azure auth backend being configured was mounted at. Defaults to azure. Unique name of the auth backend to configure. + clientIdSecretRef : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderClientIDSecretRef, default is Undefined, optional + client Id secret ref + clientSecretSecretRef : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderClientSecretSecretRef, default is Undefined, optional + client secret secret ref + environment : str, default is Undefined, optional + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults to AzurePublicCloud. The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + resource : str, default is Undefined, optional + The configured URL for the application registered in Azure Active Directory. The configured URL for the application registered in Azure Active Directory. + tenantIdSecretRef : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderTenantIDSecretRef, default is Undefined, optional + tenant Id secret ref + """ + + + backend?: str + + clientIdSecretRef?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderClientIDSecretRef + + clientSecretSecretRef?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderClientSecretSecretRef + + environment?: str + + namespace?: str + + resource?: str + + tenantIdSecretRef?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderTenantIDSecretRef + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderClientIDSecretRef: + r""" + The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderClientSecretSecretRef: + r""" + The client secret for credentials to query the Azure APIs. The client secret for credentials to query the Azure APIs + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderTenantIDSecretRef: + r""" + The tenant id for the Azure Active Directory organization. The tenant id for the Azure Active Directory organization. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the Azure auth backend being configured was mounted at. Defaults to azure. Unique name of the auth backend to configure. + environment : str, default is Undefined, optional + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults to AzurePublicCloud. The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + resource : str, default is Undefined, optional + The configured URL for the application registered in Azure Active Directory. The configured URL for the application registered in Azure Active Directory. + """ + + + backend?: str + + environment?: str + + namespace?: str + + resource?: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRefPolicy + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRefPolicy + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRef + + metadata?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigStatus: + r""" + AuthBackendConfigStatus defines the observed state of AuthBackendConfig. + + Attributes + ---------- + atProvider : AzureVaultUpboundIoV1alpha1AuthBackendConfigStatusAtProvider, default is Undefined, optional + at provider + conditions : [AzureVaultUpboundIoV1alpha1AuthBackendConfigStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AzureVaultUpboundIoV1alpha1AuthBackendConfigStatusAtProvider + + conditions?: [AzureVaultUpboundIoV1alpha1AuthBackendConfigStatusConditionsItems0] + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigStatusAtProvider: + r""" + azure vault upbound io v1alpha1 auth backend config status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the Azure auth backend being configured was mounted at. Defaults to azure. Unique name of the auth backend to configure. + environment : str, default is Undefined, optional + The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. Defaults to AzurePublicCloud. The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + resource : str, default is Undefined, optional + The configured URL for the application registered in Azure Active Directory. The configured URL for the application registered in Azure Active Directory. + """ + + + backend?: str + + environment?: str + + id?: str + + namespace?: str + + resource?: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendConfigStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..ca324043 --- /dev/null +++ b/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,547 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Azure auth backend roles in Vault. + + Attributes + ---------- + apiVersion : str, default is "azure.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : AzureVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "azure.vault.upbound.io/v1alpha1" = "azure.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: AzureVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + azure vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + boundGroupIds : [str], default is Undefined, optional + If set, defines a constraint on the groups that can perform the login operation that they should be using the group ID specified by this field. The list of group ids that login is restricted to. + boundLocations : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that the location in their identity document must match the one specified by this field. The list of locations that login is restricted to. + boundResourceGroups : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that they be associated with the resource group that matches the value specified by this field. The list of resource groups that login is restricted to. + boundScaleSets : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that they must match the scale set specified by this field. The list of scale set names that the login is restricted to. + boundServicePrincipalIds : [str], default is Undefined, optional + If set, defines a constraint on the service principals that can perform the login operation that they should be possess the ids specified by this field. The list of Service Principal IDs that login is restricted to. + boundSubscriptionIds : [str], default is Undefined, optional + If set, defines a constraint on the subscriptions that can perform the login operation to ones which matches the value specified by this field. The list of subscription IDs that login is restricted to. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + The name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + backend?: str + + boundGroupIds?: [str] + + boundLocations?: [str] + + boundResourceGroups?: [str] + + boundScaleSets?: [str] + + boundServicePrincipalIds?: [str] + + boundSubscriptionIds?: [str] + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + boundGroupIds : [str], default is Undefined, optional + If set, defines a constraint on the groups that can perform the login operation that they should be using the group ID specified by this field. The list of group ids that login is restricted to. + boundLocations : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that the location in their identity document must match the one specified by this field. The list of locations that login is restricted to. + boundResourceGroups : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that they be associated with the resource group that matches the value specified by this field. The list of resource groups that login is restricted to. + boundScaleSets : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that they must match the scale set specified by this field. The list of scale set names that the login is restricted to. + boundServicePrincipalIds : [str], default is Undefined, optional + If set, defines a constraint on the service principals that can perform the login operation that they should be possess the ids specified by this field. The list of Service Principal IDs that login is restricted to. + boundSubscriptionIds : [str], default is Undefined, optional + If set, defines a constraint on the subscriptions that can perform the login operation to ones which matches the value specified by this field. The list of subscription IDs that login is restricted to. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + The name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + backend?: str + + boundGroupIds?: [str] + + boundLocations?: [str] + + boundResourceGroups?: [str] + + boundScaleSets?: [str] + + boundServicePrincipalIds?: [str] + + boundSubscriptionIds?: [str] + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : AzureVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [AzureVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AzureVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [AzureVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + azure vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the auth backend to configure. + boundGroupIds : [str], default is Undefined, optional + If set, defines a constraint on the groups that can perform the login operation that they should be using the group ID specified by this field. The list of group ids that login is restricted to. + boundLocations : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that the location in their identity document must match the one specified by this field. The list of locations that login is restricted to. + boundResourceGroups : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that they be associated with the resource group that matches the value specified by this field. The list of resource groups that login is restricted to. + boundScaleSets : [str], default is Undefined, optional + If set, defines a constraint on the virtual machines that can perform the login operation that they must match the scale set specified by this field. The list of scale set names that the login is restricted to. + boundServicePrincipalIds : [str], default is Undefined, optional + If set, defines a constraint on the service principals that can perform the login operation that they should be possess the ids specified by this field. The list of Service Principal IDs that login is restricted to. + boundSubscriptionIds : [str], default is Undefined, optional + If set, defines a constraint on the subscriptions that can perform the login operation to ones which matches the value specified by this field. The list of subscription IDs that login is restricted to. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + The name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + backend?: str + + boundGroupIds?: [str] + + boundLocations?: [str] + + boundResourceGroups?: [str] + + boundScaleSets?: [str] + + boundServicePrincipalIds?: [str] + + boundSubscriptionIds?: [str] + + id?: str + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema AzureVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..a5de6583 --- /dev/null +++ b/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,507 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates an azure secret backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "azure.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AzureVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : AzureVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "azure.vault.upbound.io/v1alpha1" = "azure.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: AzureVaultUpboundIoV1alpha1SecretBackendSpec + + status?: AzureVaultUpboundIoV1alpha1SecretBackendStatus + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AzureVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : AzureVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AzureVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AzureVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: AzureVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AzureVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + azure vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + clientIdSecretRef : AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientIDSecretRef, default is Undefined, optional + client Id secret ref + clientSecretSecretRef : AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientSecretSecretRef, default is Undefined, optional + client secret secret ref + description : str, default is Undefined, optional + Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + environment : str, default is Undefined, optional + The Azure environment. The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Defaults to azure. Path to mount the backend at. + subscriptionIdSecretRef : AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderSubscriptionIDSecretRef, default is Undefined, optional + subscription Id secret ref + tenantIdSecretRef : AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderTenantIDSecretRef, default is Undefined, optional + tenant Id secret ref + useMicrosoftGraphApi : bool, default is Undefined, optional + Indicates whether the secrets engine should use the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+. For more information, please refer to the Vault docs Use the Microsoft Graph API. Should be set to true on vault-1.10+ + """ + + + clientIdSecretRef?: AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientIDSecretRef + + clientSecretSecretRef?: AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientSecretSecretRef + + description?: str + + disableRemount?: bool + + environment?: str + + namespace?: str + + path?: str + + subscriptionIdSecretRef?: AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderSubscriptionIDSecretRef + + tenantIdSecretRef?: AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderTenantIDSecretRef + + useMicrosoftGraphApi?: bool + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientIDSecretRef: + r""" + The OAuth2 client id to connect to Azure. The client id for credentials to query the Azure APIs. Currently read permissions to query compute resources are required. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientSecretSecretRef: + r""" + The OAuth2 client secret to connect to Azure. The client secret for credentials to query the Azure APIs + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderSubscriptionIDSecretRef: + r""" + The subscription id for the Azure Active Directory. The subscription id for the Azure Active Directory. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecForProviderTenantIDSecretRef: + r""" + The tenant id for the Azure Active Directory. The tenant id for the Azure Active Directory organization. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + description : str, default is Undefined, optional + Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + environment : str, default is Undefined, optional + The Azure environment. The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Defaults to azure. Path to mount the backend at. + useMicrosoftGraphApi : bool, default is Undefined, optional + Indicates whether the secrets engine should use the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+. For more information, please refer to the Vault docs Use the Microsoft Graph API. Should be set to true on vault-1.10+ + """ + + + description?: str + + disableRemount?: bool + + environment?: str + + namespace?: str + + path?: str + + useMicrosoftGraphApi?: bool + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : AzureVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [AzureVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AzureVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [AzureVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema AzureVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + azure vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + description : str, default is Undefined, optional + Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + environment : str, default is Undefined, optional + The Azure environment. The Azure cloud environment. Valid values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Defaults to azure. Path to mount the backend at. + useMicrosoftGraphApi : bool, default is Undefined, optional + Indicates whether the secrets engine should use the Microsoft Graph API. This parameter has been deprecated and will be ignored in vault-1.12+. For more information, please refer to the Vault docs Use the Microsoft Graph API. Should be set to true on vault-1.10+ + """ + + + description?: str + + disableRemount?: bool + + environment?: str + + id?: str + + namespace?: str + + path?: str + + useMicrosoftGraphApi?: bool + + +schema AzureVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_secret_backend_role.k b/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_secret_backend_role.k new file mode 100644 index 00000000..9771d778 --- /dev/null +++ b/crossplane-provider-vault/azure/v1alpha1/azure_vault_upbound_io_v1alpha1_secret_backend_role.k @@ -0,0 +1,587 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRole: + r""" + SecretBackendRole is the Schema for the SecretBackendRoles API. Creates an azure secret backend role for Vault. + + Attributes + ---------- + apiVersion : str, default is "azure.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpec, default is Undefined, required + spec + status : AzureVaultUpboundIoV1alpha1SecretBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "azure.vault.upbound.io/v1alpha1" = "azure.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRole" = "SecretBackendRole" + + metadata?: v1.ObjectMeta + + spec: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpec + + status?: AzureVaultUpboundIoV1alpha1SecretBackendRoleStatus + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpec: + r""" + SecretBackendRoleSpec defines the desired state of SecretBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider + + initProvider?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef + + providerRef?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider: + r""" + azure vault upbound io v1alpha1 secret backend role spec for provider + + Attributes + ---------- + applicationObjectId : str, default is Undefined, optional + Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. + azureGroups : [AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAzureGroupsItems0], default is Undefined, optional + List of Azure groups to be assigned to the generated service principal. + azureRoles : [AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAzureRolesItems0], default is Undefined, optional + List of Azure roles to be assigned to the generated service principal. + backend : str, default is Undefined, optional + Path to the mounted Azure auth backend Unique name of the auth backend to configure. + description : str, default is Undefined, optional + Human-friendly description of the mount for the backend. + maxTtl : str, default is Undefined, optional + – Specifies the maximum TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. Human-friendly description of the mount for the backend. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + permanentlyDelete : bool, default is Undefined, optional + Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. + role : str, default is Undefined, optional + Name of the Azure role Name of the role to create + signInAudience : str, default is Undefined, optional + Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount + tags : [str], default is Undefined, optional + - A list of Azure tags to attach to an application. Requires Vault 1.16+. Comma-separated strings of Azure tags to attach to an application. + ttl : str, default is Undefined, optional + – Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. Human-friendly description of the mount for the backend. + """ + + + applicationObjectId?: str + + azureGroups?: [AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAzureGroupsItems0] + + azureRoles?: [AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAzureRolesItems0] + + backend?: str + + description?: str + + maxTtl?: str + + namespace?: str + + permanentlyDelete?: bool + + role?: str + + signInAudience?: str + + tags?: [str] + + ttl?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAzureGroupsItems0: + r""" + azure vault upbound io v1alpha1 secret backend role spec for provider azure groups items0 + + Attributes + ---------- + groupName : str, default is Undefined, optional + group name + """ + + + groupName?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAzureRolesItems0: + r""" + azure vault upbound io v1alpha1 secret backend role spec for provider azure roles items0 + + Attributes + ---------- + roleId : str, default is Undefined, optional + role Id + roleName : str, default is Undefined, optional + role name + scope : str, default is Undefined, optional + scope + """ + + + roleId?: str + + roleName?: str + + scope?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + applicationObjectId : str, default is Undefined, optional + Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. + azureGroups : [AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAzureGroupsItems0], default is Undefined, optional + List of Azure groups to be assigned to the generated service principal. + azureRoles : [AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAzureRolesItems0], default is Undefined, optional + List of Azure roles to be assigned to the generated service principal. + backend : str, default is Undefined, optional + Path to the mounted Azure auth backend Unique name of the auth backend to configure. + description : str, default is Undefined, optional + Human-friendly description of the mount for the backend. + maxTtl : str, default is Undefined, optional + – Specifies the maximum TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. Human-friendly description of the mount for the backend. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + permanentlyDelete : bool, default is Undefined, optional + Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. + role : str, default is Undefined, optional + Name of the Azure role Name of the role to create + signInAudience : str, default is Undefined, optional + Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount + tags : [str], default is Undefined, optional + - A list of Azure tags to attach to an application. Requires Vault 1.16+. Comma-separated strings of Azure tags to attach to an application. + ttl : str, default is Undefined, optional + – Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. Human-friendly description of the mount for the backend. + """ + + + applicationObjectId?: str + + azureGroups?: [AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAzureGroupsItems0] + + azureRoles?: [AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAzureRolesItems0] + + backend?: str + + description?: str + + maxTtl?: str + + namespace?: str + + permanentlyDelete?: bool + + role?: str + + signInAudience?: str + + tags?: [str] + + ttl?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAzureGroupsItems0: + r""" + azure vault upbound io v1alpha1 secret backend role spec init provider azure groups items0 + + Attributes + ---------- + groupName : str, default is Undefined, optional + group name + """ + + + groupName?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAzureRolesItems0: + r""" + azure vault upbound io v1alpha1 secret backend role spec init provider azure roles items0 + + Attributes + ---------- + roleId : str, default is Undefined, optional + role Id + roleName : str, default is Undefined, optional + role name + scope : str, default is Undefined, optional + scope + """ + + + roleId?: str + + roleName?: str + + scope?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleStatus: + r""" + SecretBackendRoleStatus defines the observed state of SecretBackendRole. + + Attributes + ---------- + atProvider : AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider + + conditions?: [AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0] + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider: + r""" + azure vault upbound io v1alpha1 secret backend role status at provider + + Attributes + ---------- + applicationObjectId : str, default is Undefined, optional + Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored. Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. + azureGroups : [AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAzureGroupsItems0], default is Undefined, optional + List of Azure groups to be assigned to the generated service principal. + azureRoles : [AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAzureRolesItems0], default is Undefined, optional + List of Azure roles to be assigned to the generated service principal. + backend : str, default is Undefined, optional + Path to the mounted Azure auth backend Unique name of the auth backend to configure. + description : str, default is Undefined, optional + Human-friendly description of the mount for the backend. + id : str, default is Undefined, optional + id + maxTtl : str, default is Undefined, optional + – Specifies the maximum TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time. Human-friendly description of the mount for the backend. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + permanentlyDelete : bool, default is Undefined, optional + Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+. Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. + role : str, default is Undefined, optional + Name of the Azure role Name of the role to create + signInAudience : str, default is Undefined, optional + Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+. Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount + tags : [str], default is Undefined, optional + - A list of Azure tags to attach to an application. Requires Vault 1.16+. Comma-separated strings of Azure tags to attach to an application. + ttl : str, default is Undefined, optional + – Specifies the default TTL for service principals generated using this role. Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time. Human-friendly description of the mount for the backend. + """ + + + applicationObjectId?: str + + azureGroups?: [AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAzureGroupsItems0] + + azureRoles?: [AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAzureRolesItems0] + + backend?: str + + description?: str + + id?: str + + maxTtl?: str + + namespace?: str + + permanentlyDelete?: bool + + role?: str + + signInAudience?: str + + tags?: [str] + + ttl?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAzureGroupsItems0: + r""" + azure vault upbound io v1alpha1 secret backend role status at provider azure groups items0 + + Attributes + ---------- + groupName : str, default is Undefined, optional + group name + objectId : str, default is Undefined, optional + object Id + """ + + + groupName?: str + + objectId?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAzureRolesItems0: + r""" + azure vault upbound io v1alpha1 secret backend role status at provider azure roles items0 + + Attributes + ---------- + roleId : str, default is Undefined, optional + role Id + roleName : str, default is Undefined, optional + role name + scope : str, default is Undefined, optional + scope + """ + + + roleId?: str + + roleName?: str + + scope?: str + + +schema AzureVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/cert/v1alpha1/cert_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/cert/v1alpha1/cert_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..fa5d2f37 --- /dev/null +++ b/crossplane-provider-vault/cert/v1alpha1/cert_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,655 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. + + Attributes + ---------- + apiVersion : str, default is "cert.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : CertVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : CertVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "cert.vault.upbound.io/v1alpha1" = "cert.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: CertVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: CertVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + cert vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + allowedCommonNames : [str], default is Undefined, optional + allowed common names + allowedDnsSans : [str], default is Undefined, optional + allowed Dns sans + allowedEmailSans : [str], default is Undefined, optional + allowed email sans + allowedNames : [str], default is Undefined, optional + allowed names + allowedOrganizationUnits : [str], default is Undefined, optional + allowed organization units + allowedOrganizationalUnits : [str], default is Undefined, optional + allowed organizational units + allowedUriSans : [str], default is Undefined, optional + allowed Uri sans + backend : str, default is Undefined, optional + backend + certificate : str, default is Undefined, optional + certificate + displayName : str, default is Undefined, optional + display name + name : str, default is Undefined, optional + name + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + ocspCaCertificates : str, default is Undefined, optional + Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. + ocspEnabled : bool, default is Undefined, optional + If enabled, validate certificates' revocation status using OCSP. + ocspFailOpen : bool, default is Undefined, optional + If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. + ocspQueryAllServers : bool, default is Undefined, optional + If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. + ocspServersOverride : [str], default is Undefined, optional + A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. + requiredExtensions : [str], default is Undefined, optional + required extensions + tokenBoundCidrs : [str], default is Undefined, optional + Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token to generate, service or batch + """ + + + allowedCommonNames?: [str] + + allowedDnsSans?: [str] + + allowedEmailSans?: [str] + + allowedNames?: [str] + + allowedOrganizationUnits?: [str] + + allowedOrganizationalUnits?: [str] + + allowedUriSans?: [str] + + backend?: str + + certificate?: str + + displayName?: str + + name?: str + + namespace?: str + + ocspCaCertificates?: str + + ocspEnabled?: bool + + ocspFailOpen?: bool + + ocspQueryAllServers?: bool + + ocspServersOverride?: [str] + + requiredExtensions?: [str] + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedCommonNames : [str], default is Undefined, optional + allowed common names + allowedDnsSans : [str], default is Undefined, optional + allowed Dns sans + allowedEmailSans : [str], default is Undefined, optional + allowed email sans + allowedNames : [str], default is Undefined, optional + allowed names + allowedOrganizationUnits : [str], default is Undefined, optional + allowed organization units + allowedOrganizationalUnits : [str], default is Undefined, optional + allowed organizational units + allowedUriSans : [str], default is Undefined, optional + allowed Uri sans + backend : str, default is Undefined, optional + backend + certificate : str, default is Undefined, optional + certificate + displayName : str, default is Undefined, optional + display name + name : str, default is Undefined, optional + name + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + ocspCaCertificates : str, default is Undefined, optional + Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. + ocspEnabled : bool, default is Undefined, optional + If enabled, validate certificates' revocation status using OCSP. + ocspFailOpen : bool, default is Undefined, optional + If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. + ocspQueryAllServers : bool, default is Undefined, optional + If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. + ocspServersOverride : [str], default is Undefined, optional + A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. + requiredExtensions : [str], default is Undefined, optional + required extensions + tokenBoundCidrs : [str], default is Undefined, optional + Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token to generate, service or batch + """ + + + allowedCommonNames?: [str] + + allowedDnsSans?: [str] + + allowedEmailSans?: [str] + + allowedNames?: [str] + + allowedOrganizationUnits?: [str] + + allowedOrganizationalUnits?: [str] + + allowedUriSans?: [str] + + backend?: str + + certificate?: str + + displayName?: str + + name?: str + + namespace?: str + + ocspCaCertificates?: str + + ocspEnabled?: bool + + ocspFailOpen?: bool + + ocspQueryAllServers?: bool + + ocspServersOverride?: [str] + + requiredExtensions?: [str] + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : CertVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [CertVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: CertVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [CertVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + cert vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + allowedCommonNames : [str], default is Undefined, optional + allowed common names + allowedDnsSans : [str], default is Undefined, optional + allowed Dns sans + allowedEmailSans : [str], default is Undefined, optional + allowed email sans + allowedNames : [str], default is Undefined, optional + allowed names + allowedOrganizationUnits : [str], default is Undefined, optional + allowed organization units + allowedOrganizationalUnits : [str], default is Undefined, optional + allowed organizational units + allowedUriSans : [str], default is Undefined, optional + allowed Uri sans + backend : str, default is Undefined, optional + backend + certificate : str, default is Undefined, optional + certificate + displayName : str, default is Undefined, optional + display name + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + name + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + ocspCaCertificates : str, default is Undefined, optional + Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. + ocspEnabled : bool, default is Undefined, optional + If enabled, validate certificates' revocation status using OCSP. + ocspFailOpen : bool, default is Undefined, optional + If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. + ocspQueryAllServers : bool, default is Undefined, optional + If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. + ocspServersOverride : [str], default is Undefined, optional + A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. + requiredExtensions : [str], default is Undefined, optional + required extensions + tokenBoundCidrs : [str], default is Undefined, optional + Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token to generate, service or batch + """ + + + allowedCommonNames?: [str] + + allowedDnsSans?: [str] + + allowedEmailSans?: [str] + + allowedNames?: [str] + + allowedOrganizationUnits?: [str] + + allowedOrganizationalUnits?: [str] + + allowedUriSans?: [str] + + backend?: str + + certificate?: str + + displayName?: str + + id?: str + + name?: str + + namespace?: str + + ocspCaCertificates?: str + + ocspEnabled?: bool + + ocspFailOpen?: bool + + ocspQueryAllServers?: bool + + ocspServersOverride?: [str] + + requiredExtensions?: [str] + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema CertVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/consul/v1alpha1/consul_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/consul/v1alpha1/consul_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..7a69952f --- /dev/null +++ b/crossplane-provider-vault/consul/v1alpha1/consul_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,541 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates a Consul secret backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "consul.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : ConsulVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : ConsulVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "consul.vault.upbound.io/v1alpha1" = "consul.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: ConsulVaultUpboundIoV1alpha1SecretBackendSpec + + status?: ConsulVaultUpboundIoV1alpha1SecretBackendStatus + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : ConsulVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : ConsulVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + consul vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + address : str, default is Undefined, optional + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + bootstrap : bool, default is Undefined, optional + Denotes that the resource is used to bootstrap the Consul ACL system. Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap. + caCert : str, default is Undefined, optional + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. + clientCertSecretRef : ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientCertSecretRef, default is Undefined, optional + client cert secret ref + clientKeySecretRef : ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientKeySecretRef, default is Undefined, optional + client key secret ref + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Specifies if the secret backend is local only. Specifies if the secret backend is local only + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique location this backend should be mounted at. Must not begin or end with a /. Defaults to consul. Unique name of the Vault Consul mount to configure + scheme : str, default is Undefined, optional + Specifies the URL scheme to use. Defaults to http. Specifies the URL scheme to use. Defaults to "http". + tokenSecretRef : ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderTokenSecretRef, default is Undefined, optional + token secret ref + """ + + + address?: str + + bootstrap?: bool + + caCert?: str + + clientCertSecretRef?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientCertSecretRef + + clientKeySecretRef?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientKeySecretRef + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + scheme?: str + + tokenSecretRef?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderTokenSecretRef + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientCertSecretRef: + r""" + Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientKeySecretRef: + r""" + Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecForProviderTokenSecretRef: + r""" + The Consul management token this backend should use to issue new tokens. This field is required when bootstrap is false. Specifies the Consul token to use when managing or issuing new tokens. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + address : str, default is Undefined, optional + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + bootstrap : bool, default is Undefined, optional + Denotes that the resource is used to bootstrap the Consul ACL system. Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap. + caCert : str, default is Undefined, optional + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Specifies if the secret backend is local only. Specifies if the secret backend is local only + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique location this backend should be mounted at. Must not begin or end with a /. Defaults to consul. Unique name of the Vault Consul mount to configure + scheme : str, default is Undefined, optional + Specifies the URL scheme to use. Defaults to http. Specifies the URL scheme to use. Defaults to "http". + """ + + + address?: str + + bootstrap?: bool + + caCert?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + scheme?: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : ConsulVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [ConsulVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: ConsulVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [ConsulVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + consul vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + address : str, default is Undefined, optional + Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". Specifies the address of the Consul instance, provided as "host:port" like "127.0.0.1:8500". + bootstrap : bool, default is Undefined, optional + Denotes that the resource is used to bootstrap the Consul ACL system. Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap. + caCert : str, default is Undefined, optional + CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded. + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + local : bool, default is Undefined, optional + Specifies if the secret backend is local only. Specifies if the secret backend is local only + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique location this backend should be mounted at. Must not begin or end with a /. Defaults to consul. Unique name of the Vault Consul mount to configure + scheme : str, default is Undefined, optional + Specifies the URL scheme to use. Defaults to http. Specifies the URL scheme to use. Defaults to "http". + """ + + + address?: str + + bootstrap?: bool + + caCert?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + id?: str + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + scheme?: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/consul/v1alpha1/consul_vault_upbound_io_v1alpha1_secret_backend_role.k b/crossplane-provider-vault/consul/v1alpha1/consul_vault_upbound_io_v1alpha1_secret_backend_role.k new file mode 100644 index 00000000..93056784 --- /dev/null +++ b/crossplane-provider-vault/consul/v1alpha1/consul_vault_upbound_io_v1alpha1_secret_backend_role.k @@ -0,0 +1,499 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRole: + r""" + SecretBackendRole is the Schema for the SecretBackendRoles API. Manages a Consul secrets role for a Consul secrets engine in Vault. + + Attributes + ---------- + apiVersion : str, default is "consul.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpec, default is Undefined, required + spec + status : ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "consul.vault.upbound.io/v1alpha1" = "consul.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRole" = "SecretBackendRole" + + metadata?: v1.ObjectMeta + + spec: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpec + + status?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatus + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpec: + r""" + SecretBackendRoleSpec defines the desired state of SecretBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider + + initProvider?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef + + providerRef?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider: + r""" + consul vault upbound io v1alpha1 secret backend role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required. The path of the Consul Secret Backend the role belongs to. + consulNamespace : str, default is Undefined, optional + The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+ + consulPolicies : [str], default is Undefined, optional + SEE NOTE The list of Consul ACL policies to associate with these roles. List of Consul policies to associate with this role + consulRoles : [str], default is Undefined, optional + SEE NOTE Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ + local : bool, default is Undefined, optional + Indicates that the token should not be replicated globally and instead be local to the current datacenter. Indicates that the token should not be replicated globally and instead be local to the current datacenter. + maxTtl : float, default is Undefined, optional + Maximum TTL for leases associated with this role, in seconds. Maximum TTL for leases associated with this role, in seconds. + name : str, default is Undefined, optional + The name of the Consul secrets engine role to create. The name of an existing role against which to create this Consul credential + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + nodeIdentities : [str], default is Undefined, optional + SEE NOTE Set of Consul node identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set of Consul node identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+ + partition : str, default is Undefined, optional + The admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+ + policies : [str], default is Undefined, optional + The list of Consul ACL policies to associate with these roles. NOTE: The new parameter consul_policies should be used in favor of this. This parameter, policies, remains supported for legacy users, but Vault has deprecated this field. List of Consul policies to associate with this role + serviceIdentities : [str], default is Undefined, optional + SEE NOTE Set of Consul service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set of Consul service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+ + tokenType : str, default is Undefined, optional + Specifies the type of token to create when using this role. Valid values are "client" or "management". Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. Specifies the type of token to create when using this role. Valid values are "client" or "management". + ttl : float, default is Undefined, optional + Specifies the TTL for this role. Specifies the TTL for this role. + """ + + + backend?: str + + consulNamespace?: str + + consulPolicies?: [str] + + consulRoles?: [str] + + local?: bool + + maxTtl?: float + + name?: str + + namespace?: str + + nodeIdentities?: [str] + + partition?: str + + policies?: [str] + + serviceIdentities?: [str] + + tokenType?: str + + ttl?: float + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required. The path of the Consul Secret Backend the role belongs to. + consulNamespace : str, default is Undefined, optional + The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+ + consulPolicies : [str], default is Undefined, optional + SEE NOTE The list of Consul ACL policies to associate with these roles. List of Consul policies to associate with this role + consulRoles : [str], default is Undefined, optional + SEE NOTE Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ + local : bool, default is Undefined, optional + Indicates that the token should not be replicated globally and instead be local to the current datacenter. Indicates that the token should not be replicated globally and instead be local to the current datacenter. + maxTtl : float, default is Undefined, optional + Maximum TTL for leases associated with this role, in seconds. Maximum TTL for leases associated with this role, in seconds. + name : str, default is Undefined, optional + The name of the Consul secrets engine role to create. The name of an existing role against which to create this Consul credential + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + nodeIdentities : [str], default is Undefined, optional + SEE NOTE Set of Consul node identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set of Consul node identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+ + partition : str, default is Undefined, optional + The admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+ + policies : [str], default is Undefined, optional + The list of Consul ACL policies to associate with these roles. NOTE: The new parameter consul_policies should be used in favor of this. This parameter, policies, remains supported for legacy users, but Vault has deprecated this field. List of Consul policies to associate with this role + serviceIdentities : [str], default is Undefined, optional + SEE NOTE Set of Consul service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set of Consul service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+ + tokenType : str, default is Undefined, optional + Specifies the type of token to create when using this role. Valid values are "client" or "management". Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. Specifies the type of token to create when using this role. Valid values are "client" or "management". + ttl : float, default is Undefined, optional + Specifies the TTL for this role. Specifies the TTL for this role. + """ + + + backend?: str + + consulNamespace?: str + + consulPolicies?: [str] + + consulRoles?: [str] + + local?: bool + + maxTtl?: float + + name?: str + + namespace?: str + + nodeIdentities?: [str] + + partition?: str + + policies?: [str] + + serviceIdentities?: [str] + + tokenType?: str + + ttl?: float + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatus: + r""" + SecretBackendRoleStatus defines the observed state of SecretBackendRole. + + Attributes + ---------- + atProvider : ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider + + conditions?: [ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0] + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider: + r""" + consul vault upbound io v1alpha1 secret backend role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of an existing Consul secrets backend mount. Must not begin or end with a /. One of path or backend is required. The path of the Consul Secret Backend the role belongs to. + consulNamespace : str, default is Undefined, optional + The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+". The Consul namespace that the token will be created in. Applicable for Vault 1.10+ and Consul 1.7+ + consulPolicies : [str], default is Undefined, optional + SEE NOTE The list of Consul ACL policies to associate with these roles. List of Consul policies to associate with this role + consulRoles : [str], default is Undefined, optional + SEE NOTE Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+. Set of Consul roles to attach to the token. Applicable for Vault 1.10+ with Consul 1.5+ + id : str, default is Undefined, optional + id + local : bool, default is Undefined, optional + Indicates that the token should not be replicated globally and instead be local to the current datacenter. Indicates that the token should not be replicated globally and instead be local to the current datacenter. + maxTtl : float, default is Undefined, optional + Maximum TTL for leases associated with this role, in seconds. Maximum TTL for leases associated with this role, in seconds. + name : str, default is Undefined, optional + The name of the Consul secrets engine role to create. The name of an existing role against which to create this Consul credential + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + nodeIdentities : [str], default is Undefined, optional + SEE NOTE Set of Consul node identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+. Set of Consul node identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+ + partition : str, default is Undefined, optional + The admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+". The Consul admin partition that the token will be created in. Applicable for Vault 1.10+ and Consul 1.11+ + policies : [str], default is Undefined, optional + The list of Consul ACL policies to associate with these roles. NOTE: The new parameter consul_policies should be used in favor of this. This parameter, policies, remains supported for legacy users, but Vault has deprecated this field. List of Consul policies to associate with this role + serviceIdentities : [str], default is Undefined, optional + SEE NOTE Set of Consul service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+. Set of Consul service identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+ + tokenType : str, default is Undefined, optional + Specifies the type of token to create when using this role. Valid values are "client" or "management". Deprecated: Consul 1.11 and later removed the legacy ACL system which supported this field. Specifies the type of token to create when using this role. Valid values are "client" or "management". + ttl : float, default is Undefined, optional + Specifies the TTL for this role. Specifies the TTL for this role. + """ + + + backend?: str + + consulNamespace?: str + + consulPolicies?: [str] + + consulRoles?: [str] + + id?: str + + local?: bool + + maxTtl?: float + + name?: str + + namespace?: str + + nodeIdentities?: [str] + + partition?: str + + policies?: [str] + + serviceIdentities?: [str] + + tokenType?: str + + ttl?: float + + +schema ConsulVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_connection.k b/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_connection.k new file mode 100644 index 00000000..92abeb3f --- /dev/null +++ b/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_connection.k @@ -0,0 +1,3481 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendConnection: + r""" + SecretBackendConnection is the Schema for the SecretBackendConnections API. Configures a database secret backend connection for Vault. + + Attributes + ---------- + apiVersion : str, default is "database.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendConnection", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpec, default is Undefined, required + spec + status : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatus, default is Undefined, optional + status + """ + + + apiVersion: "database.vault.upbound.io/v1alpha1" = "database.vault.upbound.io/v1alpha1" + + kind: "SecretBackendConnection" = "SecretBackendConnection" + + metadata?: v1.ObjectMeta + + spec: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpec + + status?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatus + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpec: + r""" + SecretBackendConnectionSpec defines the desired state of SecretBackendConnection + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProvider, default is Undefined, required + for provider + initProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProvider + + initProvider?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderConfigRef + + providerRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderRef + + publishConnectionDetailsTo?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecWriteConnectionSecretToRef + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProvider: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. Unique name of the Vault mount to configure. + cassandra : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0], default is Undefined, optional + A nested block containing configuration options for Cassandra connections. Connection parameters for the cassandra-database-plugin plugin. + couchbase : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0], default is Undefined, optional + A nested block containing configuration options for Couchbase connections. Connection parameters for the couchbase-database-plugin plugin. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + elasticsearch : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderElasticsearchItems0], default is Undefined, optional + A nested block containing configuration options for Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin. + hana : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderHanaItems0], default is Undefined, optional + A nested block containing configuration options for SAP HanaDB connections. Connection parameters for the hana-database-plugin plugin. + influxdb : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0], default is Undefined, optional + A nested block containing configuration options for InfluxDB connections. Connection parameters for the influxdb-database-plugin plugin. + mongodb : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB connections. Connection parameters for the mongodb-database-plugin plugin. + mongodbatlas : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbatlasItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin plugin. + mssql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMssqlItems0], default is Undefined, optional + A nested block containing configuration options for MSSQL connections. Connection parameters for the mssql-database-plugin plugin. + mysql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0], default is Undefined, optional + A nested block containing configuration options for MySQL connections. Connection parameters for the mysql-database-plugin plugin. + mysqlAurora : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0], default is Undefined, optional + A nested block containing configuration options for Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin plugin. + mysqlLegacy : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0], default is Undefined, optional + A nested block containing configuration options for legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin plugin. + mysqlRds : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0], default is Undefined, optional + A nested block containing configuration options for RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin plugin. + name : str, default is Undefined, optional + A unique name to give the database connection. Name of the database connection. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + oracle : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderOracleItems0], default is Undefined, optional + A nested block containing configuration options for Oracle connections. Connection parameters for the oracle-database-plugin plugin. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + postgresql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0], default is Undefined, optional + A nested block containing configuration options for PostgreSQL connections. Connection parameters for the postgresql-database-plugin plugin. + redis : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisItems0], default is Undefined, optional + A nested block containing configuration options for Redis connections. Connection parameters for the redis-database-plugin plugin. + redisElasticache : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0], default is Undefined, optional + A nested block containing configuration options for Redis ElastiCache connections. Connection parameters for the redis-elasticache-database-plugin plugin. + redshift : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedshiftItems0], default is Undefined, optional + Connection parameters for the redshift-database-plugin plugin. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + snowflake : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderSnowflakeItems0], default is Undefined, optional + A nested block containing configuration options for Snowflake connections. Connection parameters for the snowflake-database-plugin plugin. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + backend?: str + + cassandra?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0] + + couchbase?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0] + + data?: {str:str} + + elasticsearch?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderElasticsearchItems0] + + hana?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderHanaItems0] + + influxdb?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0] + + mongodb?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbItems0] + + mongodbatlas?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbatlasItems0] + + mssql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMssqlItems0] + + mysql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0] + + mysqlAurora?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0] + + mysqlLegacy?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0] + + mysqlRds?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0] + + name?: str + + namespace?: str + + oracle?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderOracleItems0] + + pluginName?: str + + postgresql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0] + + redis?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisItems0] + + redisElasticache?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0] + + redshift?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedshiftItems0] + + rootRotationStatements?: [str] + + snowflake?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderSnowflakeItems0] + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider cassandra items0 + + Attributes + ---------- + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + hosts : [str], default is Undefined, optional + The hosts to connect to. Cassandra hosts to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pemBundleSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PemBundleSecretRef, default is Undefined, optional + pem bundle secret ref + pemJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PemJSONSecretRef, default is Undefined, optional + pem Json secret ref + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Cassandra. + protocolVersion : float, default is Undefined, optional + The CQL protocol version to use. The CQL protocol version to use. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. + username : str, default is Undefined, optional + The username to authenticate with. The username to use when authenticating with Cassandra. + """ + + + connectTimeout?: float + + hosts?: [str] + + insecureTls?: bool + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PasswordSecretRef + + pemBundleSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PemBundleSecretRef + + pemJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PemJSONSecretRef + + port?: float + + protocolVersion?: float + + tls?: bool + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PasswordSecretRef: + r""" + The password to authenticate with. The password to use when authenticating with Cassandra. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PemBundleSecretRef: + r""" + Concatenated PEM blocks configuring the certificate chain. Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCassandraItems0PemJSONSecretRef: + r""" + A JSON structure configuring the certificate chain. Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider couchbase items0 + + Attributes + ---------- + base64PemSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0Base64PemSecretRef, default is Undefined, optional + base64 pem secret ref + bucketName : str, default is Undefined, optional + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + hosts : [str], default is Undefined, optional + The hosts to connect to. A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0PasswordSecretRef, default is Undefined, required + password secret ref + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + base64PemSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0Base64PemSecretRef + + bucketName?: str + + hosts?: [str] + + insecureTls?: bool + + passwordSecretRef: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0PasswordSecretRef + + tls?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0Base64PemSecretRef: + r""" + Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderCouchbaseItems0PasswordSecretRef: + r""" + The password to authenticate with. Specifies the password corresponding to the given username. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderElasticsearchItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider elasticsearch items0 + + Attributes + ---------- + caCert : str, default is Undefined, optional + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity + caPath : str, default is Undefined, optional + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity + clientCert : str, default is Undefined, optional + The path to the certificate for the Elasticsearch client to present for communication. The path to the certificate for the Elasticsearch client to present for communication + clientKey : str, default is Undefined, optional + The path to the key for the Elasticsearch client to use for communication. The path to the key for the Elasticsearch client to use for communication + insecure : bool, default is Undefined, optional + Whether to disable certificate verification. Whether to disable certificate verification + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderElasticsearchItems0PasswordSecretRef, default is Undefined, required + password secret ref + tlsServerName : str, default is Undefined, optional + This, if set, is used to set the SNI host when connecting via TLS. This, if set, is used to set the SNI host when connecting via TLS + url : str, default is Undefined, optional + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The URL for Elasticsearch's API + username : str, default is Undefined, optional + The username to authenticate with. The username to be used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + caCert?: str + + caPath?: str + + clientCert?: str + + clientKey?: str + + insecure?: bool + + passwordSecretRef: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderElasticsearchItems0PasswordSecretRef + + tlsServerName?: str + + url?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderElasticsearchItems0PasswordSecretRef: + r""" + The password to authenticate with. The password to be used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderHanaItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider hana items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderHanaItems0PasswordSecretRef, default is Undefined, optional + password secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + """ + + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderHanaItems0PasswordSecretRef + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderHanaItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider influxdb items0 + + Attributes + ---------- + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + host : str, default is Undefined, optional + The host to connect to. Influxdb host to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PasswordSecretRef, default is Undefined, required + password secret ref + pemBundleSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PemBundleSecretRef, default is Undefined, optional + pem bundle secret ref + pemJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PemJSONSecretRef, default is Undefined, optional + pem Json secret ref + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Influxdb. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username to use for superuser access. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + connectTimeout?: float + + host?: str + + insecureTls?: bool + + passwordSecretRef: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PasswordSecretRef + + pemBundleSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PemBundleSecretRef + + pemJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PemJSONSecretRef + + port?: float + + tls?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PasswordSecretRef: + r""" + The password to authenticate with. Specifies the password corresponding to the given username. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PemBundleSecretRef: + r""" + Concatenated PEM blocks configuring the certificate chain. Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderInfluxdbItems0PemJSONSecretRef: + r""" + A JSON structure configuring the certificate chain. Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider mongodb items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbItems0PasswordSecretRef, default is Undefined, optional + password secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbItems0PasswordSecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbatlasItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider mongodbatlas items0 + + Attributes + ---------- + privateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbatlasItems0PrivateKeySecretRef, default is Undefined, required + private key secret ref + projectId : str, default is Undefined, optional + The Project ID the Database User should be created within. The Project ID the Database User should be created within. + publicKey : str, default is Undefined, optional + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + """ + + + privateKeySecretRef: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbatlasItems0PrivateKeySecretRef + + projectId?: str + + publicKey?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMongodbatlasItems0PrivateKeySecretRef: + r""" + The Private Programmatic API Key used to connect with MongoDB Atlas API. The Private Programmatic API Key used to connect with MongoDB Atlas API. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMssqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider mssql items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + containedDb : bool, default is Undefined, optional + For Vault v1.9+. Set to true when the target is a Contained Database, e.g. AzureSQL. See the Vault docs Set to true when the target is a Contained Database, e.g. AzureSQL. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMssqlItems0PasswordSecretRef, default is Undefined, optional + password secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + containedDb?: bool + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMssqlItems0PasswordSecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMssqlItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider mysql aurora items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0PasswordSecretRef, default is Undefined, optional + password secret ref + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + tlsCertificateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0TLSCertificateKeySecretRef, default is Undefined, optional + tls certificate key secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0PasswordSecretRef + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0ServiceAccountJSONSecretRef + + tlsCa?: str + + tlsCertificateKeySecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0TLSCertificateKeySecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0ServiceAccountJSONSecretRef: + r""" + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlAuroraItems0TLSCertificateKeySecretRef: + r""" + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider mysql items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0PasswordSecretRef, default is Undefined, optional + password secret ref + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + tlsCertificateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0TLSCertificateKeySecretRef, default is Undefined, optional + tls certificate key secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0PasswordSecretRef + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0ServiceAccountJSONSecretRef + + tlsCa?: str + + tlsCertificateKeySecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0TLSCertificateKeySecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0ServiceAccountJSONSecretRef: + r""" + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlItems0TLSCertificateKeySecretRef: + r""" + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider mysql legacy items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0PasswordSecretRef, default is Undefined, optional + password secret ref + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + tlsCertificateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0TLSCertificateKeySecretRef, default is Undefined, optional + tls certificate key secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0PasswordSecretRef + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0ServiceAccountJSONSecretRef + + tlsCa?: str + + tlsCertificateKeySecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0TLSCertificateKeySecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0ServiceAccountJSONSecretRef: + r""" + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlLegacyItems0TLSCertificateKeySecretRef: + r""" + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider mysql rds items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0PasswordSecretRef, default is Undefined, optional + password secret ref + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + tlsCertificateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0TLSCertificateKeySecretRef, default is Undefined, optional + tls certificate key secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0PasswordSecretRef + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0ServiceAccountJSONSecretRef + + tlsCa?: str + + tlsCertificateKeySecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0TLSCertificateKeySecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0ServiceAccountJSONSecretRef: + r""" + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderMysqlRdsItems0TLSCertificateKeySecretRef: + r""" + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderOracleItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider oracle items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disconnectSessions : bool, default is Undefined, optional + Enable the built-in session disconnect mechanism. Set to true to disconnect any open sessions prior to running the revocation statements. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderOracleItems0PasswordSecretRef, default is Undefined, optional + password secret ref + splitStatements : bool, default is Undefined, optional + Enable spliting statements after semi-colons. Set to true in order to split statements after semi-colons. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + disconnectSessions?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderOracleItems0PasswordSecretRef + + splitStatements?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderOracleItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider postgresql items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0PasswordSecretRef, default is Undefined, optional + password secret ref + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0PasswordSecretRef + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0ServiceAccountJSONSecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderPostgresqlItems0ServiceAccountJSONSecretRef: + r""" + JSON encoding of an IAM access key. Requires auth_type to be gcp_iam. A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider redis elasticache items0 + + Attributes + ---------- + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0PasswordSecretRef, default is Undefined, optional + password secret ref + region : str, default is Undefined, optional + The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead. The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. + url : str, default is Undefined, optional + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The configuration endpoint for the ElastiCache cluster to connect to. + usernameSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0UsernameSecretRef, default is Undefined, optional + username secret ref + """ + + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0PasswordSecretRef + + region?: str + + url?: str + + usernameSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0UsernameSecretRef + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0PasswordSecretRef: + r""" + The password to authenticate with. The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisElasticacheItems0UsernameSecretRef: + r""" + The username to authenticate with. The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider redis items0 + + Attributes + ---------- + caCert : str, default is Undefined, optional + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + host : str, default is Undefined, optional + The host to connect to. Specifies the host to connect to + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisItems0PasswordSecretRef, default is Undefined, required + password secret ref + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Redis. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + """ + + + caCert?: str + + host?: str + + insecureTls?: bool + + passwordSecretRef: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisItems0PasswordSecretRef + + port?: float + + tls?: bool + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedisItems0PasswordSecretRef: + r""" + The password to authenticate with. Specifies the password corresponding to the given username. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedshiftItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider redshift items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedshiftItems0PasswordSecretRef, default is Undefined, optional + password secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedshiftItems0PasswordSecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderRedshiftItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderSnowflakeItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec for provider snowflake items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderSnowflakeItems0PasswordSecretRef, default is Undefined, optional + password secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderSnowflakeItems0PasswordSecretRef + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecForProviderSnowflakeItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. Unique name of the Vault mount to configure. + cassandra : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderCassandraItems0], default is Undefined, optional + A nested block containing configuration options for Cassandra connections. Connection parameters for the cassandra-database-plugin plugin. + couchbase : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderCouchbaseItems0], default is Undefined, optional + A nested block containing configuration options for Couchbase connections. Connection parameters for the couchbase-database-plugin plugin. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + elasticsearch : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderElasticsearchItems0], default is Undefined, optional + A nested block containing configuration options for Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin. + hana : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderHanaItems0], default is Undefined, optional + A nested block containing configuration options for SAP HanaDB connections. Connection parameters for the hana-database-plugin plugin. + influxdb : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderInfluxdbItems0], default is Undefined, optional + A nested block containing configuration options for InfluxDB connections. Connection parameters for the influxdb-database-plugin plugin. + mongodb : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMongodbItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB connections. Connection parameters for the mongodb-database-plugin plugin. + mongodbatlas : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMongodbatlasItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin plugin. + mssql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMssqlItems0], default is Undefined, optional + A nested block containing configuration options for MSSQL connections. Connection parameters for the mssql-database-plugin plugin. + mysql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlItems0], default is Undefined, optional + A nested block containing configuration options for MySQL connections. Connection parameters for the mysql-database-plugin plugin. + mysqlAurora : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlAuroraItems0], default is Undefined, optional + A nested block containing configuration options for Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin plugin. + mysqlLegacy : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlLegacyItems0], default is Undefined, optional + A nested block containing configuration options for legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin plugin. + mysqlRds : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlRdsItems0], default is Undefined, optional + A nested block containing configuration options for RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin plugin. + name : str, default is Undefined, optional + A unique name to give the database connection. Name of the database connection. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + oracle : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderOracleItems0], default is Undefined, optional + A nested block containing configuration options for Oracle connections. Connection parameters for the oracle-database-plugin plugin. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + postgresql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderPostgresqlItems0], default is Undefined, optional + A nested block containing configuration options for PostgreSQL connections. Connection parameters for the postgresql-database-plugin plugin. + redis : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedisItems0], default is Undefined, optional + A nested block containing configuration options for Redis connections. Connection parameters for the redis-database-plugin plugin. + redisElasticache : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedisElasticacheItems0], default is Undefined, optional + A nested block containing configuration options for Redis ElastiCache connections. Connection parameters for the redis-elasticache-database-plugin plugin. + redshift : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedshiftItems0], default is Undefined, optional + Connection parameters for the redshift-database-plugin plugin. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + snowflake : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderSnowflakeItems0], default is Undefined, optional + A nested block containing configuration options for Snowflake connections. Connection parameters for the snowflake-database-plugin plugin. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + backend?: str + + cassandra?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderCassandraItems0] + + couchbase?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderCouchbaseItems0] + + data?: {str:str} + + elasticsearch?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderElasticsearchItems0] + + hana?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderHanaItems0] + + influxdb?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderInfluxdbItems0] + + mongodb?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMongodbItems0] + + mongodbatlas?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMongodbatlasItems0] + + mssql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMssqlItems0] + + mysql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlItems0] + + mysqlAurora?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlAuroraItems0] + + mysqlLegacy?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlLegacyItems0] + + mysqlRds?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlRdsItems0] + + name?: str + + namespace?: str + + oracle?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderOracleItems0] + + pluginName?: str + + postgresql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderPostgresqlItems0] + + redis?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedisItems0] + + redisElasticache?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedisElasticacheItems0] + + redshift?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedshiftItems0] + + rootRotationStatements?: [str] + + snowflake?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderSnowflakeItems0] + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderCassandraItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider cassandra items0 + + Attributes + ---------- + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + hosts : [str], default is Undefined, optional + The hosts to connect to. Cassandra hosts to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Cassandra. + protocolVersion : float, default is Undefined, optional + The CQL protocol version to use. The CQL protocol version to use. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. + username : str, default is Undefined, optional + The username to authenticate with. The username to use when authenticating with Cassandra. + """ + + + connectTimeout?: float + + hosts?: [str] + + insecureTls?: bool + + port?: float + + protocolVersion?: float + + tls?: bool + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderCouchbaseItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider couchbase items0 + + Attributes + ---------- + bucketName : str, default is Undefined, optional + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + hosts : [str], default is Undefined, optional + The hosts to connect to. A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + bucketName?: str + + hosts?: [str] + + insecureTls?: bool + + tls?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderElasticsearchItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider elasticsearch items0 + + Attributes + ---------- + caCert : str, default is Undefined, optional + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity + caPath : str, default is Undefined, optional + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity + clientCert : str, default is Undefined, optional + The path to the certificate for the Elasticsearch client to present for communication. The path to the certificate for the Elasticsearch client to present for communication + clientKey : str, default is Undefined, optional + The path to the key for the Elasticsearch client to use for communication. The path to the key for the Elasticsearch client to use for communication + insecure : bool, default is Undefined, optional + Whether to disable certificate verification. Whether to disable certificate verification + tlsServerName : str, default is Undefined, optional + This, if set, is used to set the SNI host when connecting via TLS. This, if set, is used to set the SNI host when connecting via TLS + url : str, default is Undefined, optional + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The URL for Elasticsearch's API + username : str, default is Undefined, optional + The username to authenticate with. The username to be used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + caCert?: str + + caPath?: str + + clientCert?: str + + clientKey?: str + + insecure?: bool + + tlsServerName?: str + + url?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderHanaItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider hana items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + """ + + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderInfluxdbItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider influxdb items0 + + Attributes + ---------- + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + host : str, default is Undefined, optional + The host to connect to. Influxdb host to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Influxdb. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username to use for superuser access. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + connectTimeout?: float + + host?: str + + insecureTls?: bool + + port?: float + + tls?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMongodbItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider mongodb items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMongodbatlasItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider mongodbatlas items0 + + Attributes + ---------- + projectId : str, default is Undefined, optional + The Project ID the Database User should be created within. The Project ID the Database User should be created within. + publicKey : str, default is Undefined, optional + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + """ + + + projectId?: str + + publicKey?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMssqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider mssql items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + containedDb : bool, default is Undefined, optional + For Vault v1.9+. Set to true when the target is a Contained Database, e.g. AzureSQL. See the Vault docs Set to true when the target is a Contained Database, e.g. AzureSQL. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + containedDb?: bool + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlAuroraItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider mysql aurora items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider mysql items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlLegacyItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider mysql legacy items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderMysqlRdsItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider mysql rds items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderOracleItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider oracle items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disconnectSessions : bool, default is Undefined, optional + Enable the built-in session disconnect mechanism. Set to true to disconnect any open sessions prior to running the revocation statements. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + splitStatements : bool, default is Undefined, optional + Enable spliting statements after semi-colons. Set to true in order to split statements after semi-colons. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + disconnectSessions?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + splitStatements?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderPostgresqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider postgresql items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedisElasticacheItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider redis elasticache items0 + + Attributes + ---------- + region : str, default is Undefined, optional + The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead. The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. + url : str, default is Undefined, optional + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The configuration endpoint for the ElastiCache cluster to connect to. + """ + + + region?: str + + url?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedisItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider redis items0 + + Attributes + ---------- + caCert : str, default is Undefined, optional + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + host : str, default is Undefined, optional + The host to connect to. Specifies the host to connect to + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Redis. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + """ + + + caCert?: str + + host?: str + + insecureTls?: bool + + port?: float + + tls?: bool + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderRedshiftItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider redshift items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecInitProviderSnowflakeItems0: + r""" + database vault upbound io v1alpha1 secret backend connection spec init provider snowflake items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderConfigRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToConfigRef + + metadata?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToMetadata + + name: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToConfigRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatus: + r""" + SecretBackendConnectionStatus defines the observed state of SecretBackendConnection. + + Attributes + ---------- + atProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProvider, default is Undefined, optional + at provider + conditions : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProvider + + conditions?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusConditionsItems0] + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProvider: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. Unique name of the Vault mount to configure. + cassandra : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderCassandraItems0], default is Undefined, optional + A nested block containing configuration options for Cassandra connections. Connection parameters for the cassandra-database-plugin plugin. + couchbase : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderCouchbaseItems0], default is Undefined, optional + A nested block containing configuration options for Couchbase connections. Connection parameters for the couchbase-database-plugin plugin. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + elasticsearch : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderElasticsearchItems0], default is Undefined, optional + A nested block containing configuration options for Elasticsearch connections. Connection parameters for the elasticsearch-database-plugin. + hana : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderHanaItems0], default is Undefined, optional + A nested block containing configuration options for SAP HanaDB connections. Connection parameters for the hana-database-plugin plugin. + id : str, default is Undefined, optional + id + influxdb : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderInfluxdbItems0], default is Undefined, optional + A nested block containing configuration options for InfluxDB connections. Connection parameters for the influxdb-database-plugin plugin. + mongodb : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMongodbItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB connections. Connection parameters for the mongodb-database-plugin plugin. + mongodbatlas : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMongodbatlasItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB Atlas connections. Connection parameters for the mongodbatlas-database-plugin plugin. + mssql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMssqlItems0], default is Undefined, optional + A nested block containing configuration options for MSSQL connections. Connection parameters for the mssql-database-plugin plugin. + mysql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlItems0], default is Undefined, optional + A nested block containing configuration options for MySQL connections. Connection parameters for the mysql-database-plugin plugin. + mysqlAurora : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlAuroraItems0], default is Undefined, optional + A nested block containing configuration options for Aurora MySQL connections. Connection parameters for the mysql-aurora-database-plugin plugin. + mysqlLegacy : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlLegacyItems0], default is Undefined, optional + A nested block containing configuration options for legacy MySQL connections. Connection parameters for the mysql-legacy-database-plugin plugin. + mysqlRds : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlRdsItems0], default is Undefined, optional + A nested block containing configuration options for RDS MySQL connections. Connection parameters for the mysql-rds-database-plugin plugin. + name : str, default is Undefined, optional + A unique name to give the database connection. Name of the database connection. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + oracle : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderOracleItems0], default is Undefined, optional + A nested block containing configuration options for Oracle connections. Connection parameters for the oracle-database-plugin plugin. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + postgresql : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderPostgresqlItems0], default is Undefined, optional + A nested block containing configuration options for PostgreSQL connections. Connection parameters for the postgresql-database-plugin plugin. + redis : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedisItems0], default is Undefined, optional + A nested block containing configuration options for Redis connections. Connection parameters for the redis-database-plugin plugin. + redisElasticache : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedisElasticacheItems0], default is Undefined, optional + A nested block containing configuration options for Redis ElastiCache connections. Connection parameters for the redis-elasticache-database-plugin plugin. + redshift : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedshiftItems0], default is Undefined, optional + Connection parameters for the redshift-database-plugin plugin. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + snowflake : [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderSnowflakeItems0], default is Undefined, optional + A nested block containing configuration options for Snowflake connections. Connection parameters for the snowflake-database-plugin plugin. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + backend?: str + + cassandra?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderCassandraItems0] + + couchbase?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderCouchbaseItems0] + + data?: {str:str} + + elasticsearch?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderElasticsearchItems0] + + hana?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderHanaItems0] + + id?: str + + influxdb?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderInfluxdbItems0] + + mongodb?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMongodbItems0] + + mongodbatlas?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMongodbatlasItems0] + + mssql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMssqlItems0] + + mysql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlItems0] + + mysqlAurora?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlAuroraItems0] + + mysqlLegacy?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlLegacyItems0] + + mysqlRds?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlRdsItems0] + + name?: str + + namespace?: str + + oracle?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderOracleItems0] + + pluginName?: str + + postgresql?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderPostgresqlItems0] + + redis?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedisItems0] + + redisElasticache?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedisElasticacheItems0] + + redshift?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedshiftItems0] + + rootRotationStatements?: [str] + + snowflake?: [DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderSnowflakeItems0] + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderCassandraItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider cassandra items0 + + Attributes + ---------- + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + hosts : [str], default is Undefined, optional + The hosts to connect to. Cassandra hosts to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Cassandra. + protocolVersion : float, default is Undefined, optional + The CQL protocol version to use. The CQL protocol version to use. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. + username : str, default is Undefined, optional + The username to authenticate with. The username to use when authenticating with Cassandra. + """ + + + connectTimeout?: float + + hosts?: [str] + + insecureTls?: bool + + port?: float + + protocolVersion?: float + + tls?: bool + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderCouchbaseItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider couchbase items0 + + Attributes + ---------- + bucketName : str, default is Undefined, optional + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + hosts : [str], default is Undefined, optional + The hosts to connect to. A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + bucketName?: str + + hosts?: [str] + + insecureTls?: bool + + tls?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderElasticsearchItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider elasticsearch items0 + + Attributes + ---------- + caCert : str, default is Undefined, optional + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity + caPath : str, default is Undefined, optional + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity + clientCert : str, default is Undefined, optional + The path to the certificate for the Elasticsearch client to present for communication. The path to the certificate for the Elasticsearch client to present for communication + clientKey : str, default is Undefined, optional + The path to the key for the Elasticsearch client to use for communication. The path to the key for the Elasticsearch client to use for communication + insecure : bool, default is Undefined, optional + Whether to disable certificate verification. Whether to disable certificate verification + tlsServerName : str, default is Undefined, optional + This, if set, is used to set the SNI host when connecting via TLS. This, if set, is used to set the SNI host when connecting via TLS + url : str, default is Undefined, optional + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The URL for Elasticsearch's API + username : str, default is Undefined, optional + The username to authenticate with. The username to be used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + caCert?: str + + caPath?: str + + clientCert?: str + + clientKey?: str + + insecure?: bool + + tlsServerName?: str + + url?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderHanaItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider hana items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + """ + + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderInfluxdbItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider influxdb items0 + + Attributes + ---------- + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + host : str, default is Undefined, optional + The host to connect to. Influxdb host to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Influxdb. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username to use for superuser access. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + """ + + + connectTimeout?: float + + host?: str + + insecureTls?: bool + + port?: float + + tls?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMongodbItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider mongodb items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMongodbatlasItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider mongodbatlas items0 + + Attributes + ---------- + projectId : str, default is Undefined, optional + The Project ID the Database User should be created within. The Project ID the Database User should be created within. + publicKey : str, default is Undefined, optional + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + """ + + + projectId?: str + + publicKey?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMssqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider mssql items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + containedDb : bool, default is Undefined, optional + For Vault v1.9+. Set to true when the target is a Contained Database, e.g. AzureSQL. See the Vault docs Set to true when the target is a Contained Database, e.g. AzureSQL. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + containedDb?: bool + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlAuroraItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider mysql aurora items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider mysql items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlLegacyItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider mysql legacy items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderMysqlRdsItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider mysql rds items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderOracleItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider oracle items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disconnectSessions : bool, default is Undefined, optional + Enable the built-in session disconnect mechanism. Set to true to disconnect any open sessions prior to running the revocation statements. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + splitStatements : bool, default is Undefined, optional + Enable spliting statements after semi-colons. Set to true in order to split statements after semi-colons. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + disconnectSessions?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + splitStatements?: bool + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderPostgresqlItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider postgresql items0 + + Attributes + ---------- + authType : str, default is Undefined, optional + Enable IAM authentication to a Google Cloud instance when set to gcp_iam Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + authType?: str + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedisElasticacheItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider redis elasticache items0 + + Attributes + ---------- + region : str, default is Undefined, optional + The region where the ElastiCache cluster is hosted. If omitted Vault tries to infer from the environment instead. The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. + url : str, default is Undefined, optional + The url to connect to including the port; e.g. master.my-cluster.xxxxxx.use1.cache.amazonaws.com:6379. The configuration endpoint for the ElastiCache cluster to connect to. + """ + + + region?: str + + url?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedisItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider redis items0 + + Attributes + ---------- + caCert : str, default is Undefined, optional + The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + host : str, default is Undefined, optional + The host to connect to. Specifies the host to connect to + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Redis. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + """ + + + caCert?: str + + host?: str + + insecureTls?: bool + + port?: float + + tls?: bool + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderRedshiftItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider redshift items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusAtProviderSnowflakeItems0: + r""" + database vault upbound io v1alpha1 secret backend connection status at provider snowflake items0 + + Attributes + ---------- + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See the Vault docs for an example. Connection string to use to connect to the database. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + """ + + + connectionUrl?: str + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + username?: str + + usernameTemplate?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendConnectionStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_role.k b/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_role.k new file mode 100644 index 00000000..6473b8a8 --- /dev/null +++ b/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_role.k @@ -0,0 +1,475 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRole: + r""" + SecretBackendRole is the Schema for the SecretBackendRoles API. Configures a database secret backend role for Vault. + + Attributes + ---------- + apiVersion : str, default is "database.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpec, default is Undefined, required + spec + status : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "database.vault.upbound.io/v1alpha1" = "database.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRole" = "SecretBackendRole" + + metadata?: v1.ObjectMeta + + spec: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpec + + status?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatus + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpec: + r""" + SecretBackendRoleSpec defines the desired state of SecretBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider + + initProvider?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef + + providerRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider: + r""" + database vault upbound io v1alpha1 secret backend role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. + creationStatements : [str], default is Undefined, optional + The database statements to execute when creating a user. Database statements to execute to create and configure a user. + credentialConfig : {str:str}, default is Undefined, optional + – Specifies the configuration for the given credential_type. Specifies the configuration for the given credential_type. + credentialType : str, default is Undefined, optional + – Specifies the type of credential that will be generated for the role. Options include: password, rsa_private_key, client_certificate. See the plugin's API page for credential types supported by individual databases. Specifies the type of credential that will be generated for the role. + dbName : str, default is Undefined, optional + The unique name of the database connection to use for the role. Database connection to use for this role. + defaultTtl : float, default is Undefined, optional + The default number of seconds for leases for this role. Default TTL for leases associated with this role, in seconds. + maxTtl : float, default is Undefined, optional + The maximum number of seconds for leases for this role. Maximum TTL for leases associated with this role, in seconds. + name : str, default is Undefined, optional + A unique name to give the role. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + renewStatements : [str], default is Undefined, optional + The database statements to execute when renewing a user. Database statements to execute to renew a user. + revocationStatements : [str], default is Undefined, optional + The database statements to execute when revoking a user. Database statements to execute to revoke a user. + rollbackStatements : [str], default is Undefined, optional + The database statements to execute when rolling back creation due to an error. Database statements to execute to rollback a create operation in the event of an error. + """ + + + backend?: str + + creationStatements?: [str] + + credentialConfig?: {str:str} + + credentialType?: str + + dbName?: str + + defaultTtl?: float + + maxTtl?: float + + name?: str + + namespace?: str + + renewStatements?: [str] + + revocationStatements?: [str] + + rollbackStatements?: [str] + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. + creationStatements : [str], default is Undefined, optional + The database statements to execute when creating a user. Database statements to execute to create and configure a user. + credentialConfig : {str:str}, default is Undefined, optional + – Specifies the configuration for the given credential_type. Specifies the configuration for the given credential_type. + credentialType : str, default is Undefined, optional + – Specifies the type of credential that will be generated for the role. Options include: password, rsa_private_key, client_certificate. See the plugin's API page for credential types supported by individual databases. Specifies the type of credential that will be generated for the role. + dbName : str, default is Undefined, optional + The unique name of the database connection to use for the role. Database connection to use for this role. + defaultTtl : float, default is Undefined, optional + The default number of seconds for leases for this role. Default TTL for leases associated with this role, in seconds. + maxTtl : float, default is Undefined, optional + The maximum number of seconds for leases for this role. Maximum TTL for leases associated with this role, in seconds. + name : str, default is Undefined, optional + A unique name to give the role. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + renewStatements : [str], default is Undefined, optional + The database statements to execute when renewing a user. Database statements to execute to renew a user. + revocationStatements : [str], default is Undefined, optional + The database statements to execute when revoking a user. Database statements to execute to revoke a user. + rollbackStatements : [str], default is Undefined, optional + The database statements to execute when rolling back creation due to an error. Database statements to execute to rollback a create operation in the event of an error. + """ + + + backend?: str + + creationStatements?: [str] + + credentialConfig?: {str:str} + + credentialType?: str + + dbName?: str + + defaultTtl?: float + + maxTtl?: float + + name?: str + + namespace?: str + + renewStatements?: [str] + + revocationStatements?: [str] + + rollbackStatements?: [str] + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatus: + r""" + SecretBackendRoleStatus defines the observed state of SecretBackendRole. + + Attributes + ---------- + atProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider + + conditions?: [DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0] + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider: + r""" + database vault upbound io v1alpha1 secret backend role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. + creationStatements : [str], default is Undefined, optional + The database statements to execute when creating a user. Database statements to execute to create and configure a user. + credentialConfig : {str:str}, default is Undefined, optional + – Specifies the configuration for the given credential_type. Specifies the configuration for the given credential_type. + credentialType : str, default is Undefined, optional + – Specifies the type of credential that will be generated for the role. Options include: password, rsa_private_key, client_certificate. See the plugin's API page for credential types supported by individual databases. Specifies the type of credential that will be generated for the role. + dbName : str, default is Undefined, optional + The unique name of the database connection to use for the role. Database connection to use for this role. + defaultTtl : float, default is Undefined, optional + The default number of seconds for leases for this role. Default TTL for leases associated with this role, in seconds. + id : str, default is Undefined, optional + id + maxTtl : float, default is Undefined, optional + The maximum number of seconds for leases for this role. Maximum TTL for leases associated with this role, in seconds. + name : str, default is Undefined, optional + A unique name to give the role. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + renewStatements : [str], default is Undefined, optional + The database statements to execute when renewing a user. Database statements to execute to renew a user. + revocationStatements : [str], default is Undefined, optional + The database statements to execute when revoking a user. Database statements to execute to revoke a user. + rollbackStatements : [str], default is Undefined, optional + The database statements to execute when rolling back creation due to an error. Database statements to execute to rollback a create operation in the event of an error. + """ + + + backend?: str + + creationStatements?: [str] + + credentialConfig?: {str:str} + + credentialType?: str + + dbName?: str + + defaultTtl?: float + + id?: str + + maxTtl?: float + + name?: str + + namespace?: str + + renewStatements?: [str] + + revocationStatements?: [str] + + rollbackStatements?: [str] + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_static_role.k b/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_static_role.k new file mode 100644 index 00000000..f8a58fab --- /dev/null +++ b/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secret_backend_static_role.k @@ -0,0 +1,439 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendStaticRole: + r""" + SecretBackendStaticRole is the Schema for the SecretBackendStaticRoles API. Configures a database secret backend static role for Vault. + + Attributes + ---------- + apiVersion : str, default is "database.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendStaticRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpec, default is Undefined, required + spec + status : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "database.vault.upbound.io/v1alpha1" = "database.vault.upbound.io/v1alpha1" + + kind: "SecretBackendStaticRole" = "SecretBackendStaticRole" + + metadata?: v1.ObjectMeta + + spec: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpec + + status?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatus + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpec: + r""" + SecretBackendStaticRoleSpec defines the desired state of SecretBackendStaticRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecForProvider, default is Undefined, required + for provider + initProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecForProvider + + initProvider?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderConfigRef + + providerRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderRef + + publishConnectionDetailsTo?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecWriteConnectionSecretToRef + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecForProvider: + r""" + database vault upbound io v1alpha1 secret backend static role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. + dbName : str, default is Undefined, optional + The unique name of the database connection to use for the static role. Database connection to use for this role. + name : str, default is Undefined, optional + A unique name to give the static role. Unique name for the static role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + rotationPeriod : float, default is Undefined, optional + The amount of time Vault should wait before rotating the password, in seconds. Mutually exclusive with rotation_schedule. The amount of time Vault should wait before rotating the password, in seconds. + rotationSchedule : str, default is Undefined, optional + A cron-style string that will define the schedule on which rotations should occur. Mutually exclusive with rotation_period. A cron-style string that will define the schedule on which rotations should occur. + rotationStatements : [str], default is Undefined, optional + Database statements to execute to rotate the password for the configured database user. Database statements to execute to rotate the password for the configured database user. + rotationWindow : float, default is Undefined, optional + The amount of time, in seconds, in which rotations are allowed to occur starting from a given rotation_schedule. The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. + username : str, default is Undefined, optional + The database username that this static role corresponds to. The database username that this role corresponds to. + """ + + + backend?: str + + dbName?: str + + name?: str + + namespace?: str + + rotationPeriod?: float + + rotationSchedule?: str + + rotationStatements?: [str] + + rotationWindow?: float + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. + dbName : str, default is Undefined, optional + The unique name of the database connection to use for the static role. Database connection to use for this role. + name : str, default is Undefined, optional + A unique name to give the static role. Unique name for the static role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + rotationPeriod : float, default is Undefined, optional + The amount of time Vault should wait before rotating the password, in seconds. Mutually exclusive with rotation_schedule. The amount of time Vault should wait before rotating the password, in seconds. + rotationSchedule : str, default is Undefined, optional + A cron-style string that will define the schedule on which rotations should occur. Mutually exclusive with rotation_period. A cron-style string that will define the schedule on which rotations should occur. + rotationStatements : [str], default is Undefined, optional + Database statements to execute to rotate the password for the configured database user. Database statements to execute to rotate the password for the configured database user. + rotationWindow : float, default is Undefined, optional + The amount of time, in seconds, in which rotations are allowed to occur starting from a given rotation_schedule. The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. + username : str, default is Undefined, optional + The database username that this static role corresponds to. The database username that this role corresponds to. + """ + + + backend?: str + + dbName?: str + + name?: str + + namespace?: str + + rotationPeriod?: float + + rotationSchedule?: str + + rotationStatements?: [str] + + rotationWindow?: float + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderConfigRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatus: + r""" + SecretBackendStaticRoleStatus defines the observed state of SecretBackendStaticRole. + + Attributes + ---------- + atProvider : DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatusAtProvider + + conditions?: [DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatusConditionsItems0] + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatusAtProvider: + r""" + database vault upbound io v1alpha1 secret backend static role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique name of the Vault mount to configure. The path of the Database Secret Backend the role belongs to. + dbName : str, default is Undefined, optional + The unique name of the database connection to use for the static role. Database connection to use for this role. + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + A unique name to give the static role. Unique name for the static role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + rotationPeriod : float, default is Undefined, optional + The amount of time Vault should wait before rotating the password, in seconds. Mutually exclusive with rotation_schedule. The amount of time Vault should wait before rotating the password, in seconds. + rotationSchedule : str, default is Undefined, optional + A cron-style string that will define the schedule on which rotations should occur. Mutually exclusive with rotation_period. A cron-style string that will define the schedule on which rotations should occur. + rotationStatements : [str], default is Undefined, optional + Database statements to execute to rotate the password for the configured database user. Database statements to execute to rotate the password for the configured database user. + rotationWindow : float, default is Undefined, optional + The amount of time, in seconds, in which rotations are allowed to occur starting from a given rotation_schedule. The amount of time in seconds in which the rotations are allowed to occur starting from a given rotation_schedule. + username : str, default is Undefined, optional + The database username that this static role corresponds to. The database username that this role corresponds to. + """ + + + backend?: str + + dbName?: str + + id?: str + + name?: str + + namespace?: str + + rotationPeriod?: float + + rotationSchedule?: str + + rotationStatements?: [str] + + rotationWindow?: float + + username?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretBackendStaticRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secrets_mount.k b/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secrets_mount.k new file mode 100644 index 00000000..d49daf4f --- /dev/null +++ b/crossplane-provider-vault/database/v1alpha1/database_vault_upbound_io_v1alpha1_secrets_mount.k @@ -0,0 +1,4833 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretsMount: + r""" + SecretsMount is the Schema for the SecretsMounts API. Configures any number of database secrets engines under a single mount resource + + Attributes + ---------- + apiVersion : str, default is "database.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretsMount", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : DatabaseVaultUpboundIoV1alpha1SecretsMountSpec, default is Undefined, required + spec + status : DatabaseVaultUpboundIoV1alpha1SecretsMountStatus, default is Undefined, optional + status + """ + + + apiVersion: "database.vault.upbound.io/v1alpha1" = "database.vault.upbound.io/v1alpha1" + + kind: "SecretsMount" = "SecretsMount" + + metadata?: v1.ObjectMeta + + spec: DatabaseVaultUpboundIoV1alpha1SecretsMountSpec + + status?: DatabaseVaultUpboundIoV1alpha1SecretsMountStatus + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpec: + r""" + SecretsMountSpec defines the desired state of SecretsMount + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProvider, default is Undefined, required + for provider + initProvider : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProvider + + initProvider?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderConfigRef + + providerRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderRef + + publishConnectionDetailsTo?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecWriteConnectionSecretToRef + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProvider: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider + + Attributes + ---------- + allowedManagedKeys : [str], default is Undefined, optional + Set of managed key registry entry names that the mount in question is allowed to access List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + cassandra : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0], default is Undefined, optional + A nested block containing configuration options for Cassandra connections. See Connection parameters for the cassandra-database-plugin plugin. + couchbase : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0], default is Undefined, optional + A nested block containing configuration options for Couchbase connections. See Connection parameters for the couchbase-database-plugin plugin. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount Human-friendly description of the mount + elasticsearch : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderElasticsearchItems0], default is Undefined, optional + A nested block containing configuration options for Elasticsearch connections. See Connection parameters for the elasticsearch-database-plugin. + externalEntropyAccess : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source Enable the secrets engine to access Vault's external entropy source + hana : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderHanaItems0], default is Undefined, optional + A nested block containing configuration options for SAP HanaDB connections. See Connection parameters for the hana-database-plugin plugin. + influxdb : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0], default is Undefined, optional + A nested block containing configuration options for InfluxDB connections. See Connection parameters for the influxdb-database-plugin plugin. + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds Maximum possible lease duration for tokens and secrets in seconds + mongodb : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB connections. See Connection parameters for the mongodb-database-plugin plugin. + mongodbatlas : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbatlasItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB Atlas connections. See Connection parameters for the mongodbatlas-database-plugin plugin. + mssql : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMssqlItems0], default is Undefined, optional + A nested block containing configuration options for MSSQL connections. See Connection parameters for the mssql-database-plugin plugin. + mysql : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0], default is Undefined, optional + A nested block containing configuration options for MySQL connections. See Connection parameters for the mysql-database-plugin plugin. + mysqlAurora : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0], default is Undefined, optional + A nested block containing configuration options for Aurora MySQL connections. See Connection parameters for the mysql-aurora-database-plugin plugin. + mysqlLegacy : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0], default is Undefined, optional + A nested block containing configuration options for legacy MySQL connections. See Connection parameters for the mysql-legacy-database-plugin plugin. + mysqlRds : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0], default is Undefined, optional + A nested block containing configuration options for RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin plugin. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend Specifies mount type specific options that are passed to the backend + oracle : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderOracleItems0], default is Undefined, optional + A nested block containing configuration options for Oracle connections. See Connection parameters for the oracle-database-plugin plugin. + path : str, default is Undefined, optional + Where the secret backend will be mounted Where the secret backend will be mounted + postgresql : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0], default is Undefined, optional + A nested block containing configuration options for PostgreSQL connections. See Connection parameters for the postgresql-database-plugin plugin. + redis : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisItems0], default is Undefined, optional + A nested block containing configuration options for Redis connections. See Connection parameters for the redis-database-plugin plugin. + redisElasticache : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0], default is Undefined, optional + A nested block containing configuration options for Redis ElastiCache connections. See Connection parameters for the redis-elasticache-database-plugin plugin. + redshift : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedshiftItems0], default is Undefined, optional + A nested block containing configuration options for AWS Redshift connections. See Connection parameters for the redshift-database-plugin plugin. + sealWrap : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + snowflake : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderSnowflakeItems0], default is Undefined, optional + A nested block containing configuration options for Snowflake connections. See Connection parameters for the snowflake-database-plugin plugin. + """ + + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + cassandra?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0] + + couchbase?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0] + + defaultLeaseTtlSeconds?: float + + description?: str + + elasticsearch?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderElasticsearchItems0] + + externalEntropyAccess?: bool + + hana?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderHanaItems0] + + influxdb?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0] + + local?: bool + + maxLeaseTtlSeconds?: float + + mongodb?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbItems0] + + mongodbatlas?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbatlasItems0] + + mssql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMssqlItems0] + + mysql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0] + + mysqlAurora?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0] + + mysqlLegacy?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0] + + mysqlRds?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0] + + namespace?: str + + options?: {str:str} + + oracle?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderOracleItems0] + + path?: str + + postgresql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0] + + redis?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisItems0] + + redisElasticache?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0] + + redshift?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedshiftItems0] + + sealWrap?: bool + + snowflake?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderSnowflakeItems0] + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider cassandra items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + hosts : [str], default is Undefined, optional + The hosts to connect to. Cassandra hosts to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pemBundleSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PemBundleSecretRef, default is Undefined, optional + pem bundle secret ref + pemJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PemJSONSecretRef, default is Undefined, optional + pem Json secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Cassandra. + protocolVersion : float, default is Undefined, optional + The CQL protocol version to use. The CQL protocol version to use. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. + username : str, default is Undefined, optional + The username to authenticate with. The username to use when authenticating with Cassandra. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectTimeout?: float + + data?: {str:str} + + hosts?: [str] + + insecureTls?: bool + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PasswordSecretRef + + pemBundleSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PemBundleSecretRef + + pemJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PemJSONSecretRef + + pluginName?: str + + port?: float + + protocolVersion?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PasswordSecretRef: + r""" + The password to authenticate with. The password to use when authenticating with Cassandra. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PemBundleSecretRef: + r""" + Concatenated PEM blocks configuring the certificate chain. Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCassandraItems0PemJSONSecretRef: + r""" + A JSON structure configuring the certificate chain. Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider couchbase items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + base64PemSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0Base64PemSecretRef, default is Undefined, optional + base64 pem secret ref + bucketName : str, default is Undefined, optional + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + hosts : [str], default is Undefined, optional + The hosts to connect to. A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0PasswordSecretRef, default is Undefined, required + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + base64PemSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0Base64PemSecretRef + + bucketName?: str + + data?: {str:str} + + hosts?: [str] + + insecureTls?: bool + + name?: str + + passwordSecretRef: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0Base64PemSecretRef: + r""" + Required if tls is true. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. Required if `tls` is `true`. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderCouchbaseItems0PasswordSecretRef: + r""" + The password to authenticate with. Specifies the password corresponding to the given username. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderElasticsearchItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider elasticsearch items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + caCert : str, default is Undefined, optional + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity + caPath : str, default is Undefined, optional + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity + clientCert : str, default is Undefined, optional + The path to the certificate for the Elasticsearch client to present for communication. The path to the certificate for the Elasticsearch client to present for communication + clientKey : str, default is Undefined, optional + The path to the key for the Elasticsearch client to use for communication. The path to the key for the Elasticsearch client to use for communication + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + insecure : bool, default is Undefined, optional + Whether to disable certificate verification. Whether to disable certificate verification + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderElasticsearchItems0PasswordSecretRef, default is Undefined, required + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsServerName : str, default is Undefined, optional + This, if set, is used to set the SNI host when connecting via TLS. This, if set, is used to set the SNI host when connecting via TLS + url : str, default is Undefined, optional + The URL for Elasticsearch's API. https requires certificate by trusted CA if used. The URL for Elasticsearch's API + username : str, default is Undefined, optional + The username to authenticate with. The username to be used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + caCert?: str + + caPath?: str + + clientCert?: str + + clientKey?: str + + data?: {str:str} + + insecure?: bool + + name?: str + + passwordSecretRef: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderElasticsearchItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + tlsServerName?: str + + url?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderElasticsearchItems0PasswordSecretRef: + r""" + The password to authenticate with. The password to be used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderHanaItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider hana items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderHanaItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderHanaItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderHanaItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider influxdb items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + host : str, default is Undefined, optional + The host to connect to. Influxdb host to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PasswordSecretRef, default is Undefined, required + password secret ref + pemBundleSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PemBundleSecretRef, default is Undefined, optional + pem bundle secret ref + pemJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PemJSONSecretRef, default is Undefined, optional + pem Json secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Influxdb. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username to use for superuser access. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectTimeout?: float + + data?: {str:str} + + host?: str + + insecureTls?: bool + + name?: str + + passwordSecretRef: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PasswordSecretRef + + pemBundleSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PemBundleSecretRef + + pemJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PemJSONSecretRef + + pluginName?: str + + port?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PasswordSecretRef: + r""" + The password to authenticate with. Specifies the password corresponding to the given username. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PemBundleSecretRef: + r""" + Concatenated PEM blocks configuring the certificate chain. Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderInfluxdbItems0PemJSONSecretRef: + r""" + A JSON structure configuring the certificate chain. Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider mongodb items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbatlasItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider mongodbatlas items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + privateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbatlasItems0PrivateKeySecretRef, default is Undefined, required + private key secret ref + projectId : str, default is Undefined, optional + The Project ID the Database User should be created within. The Project ID the Database User should be created within. + publicKey : str, default is Undefined, optional + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + data?: {str:str} + + name?: str + + pluginName?: str + + privateKeySecretRef: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbatlasItems0PrivateKeySecretRef + + projectId?: str + + publicKey?: str + + rootRotationStatements?: [str] + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMongodbatlasItems0PrivateKeySecretRef: + r""" + The Private Programmatic API Key used to connect with MongoDB Atlas API. The Private Programmatic API Key used to connect with MongoDB Atlas API. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMssqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider mssql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + containedDb : bool, default is Undefined, optional + For Vault v1.9+. Set to true when the target is a Contained Database, e.g. AzureSQL. See Vault docs Set to true when the target is a Contained Database, e.g. AzureSQL. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMssqlItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + containedDb?: bool + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMssqlItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMssqlItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider mysql aurora items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + tlsCertificateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0TLSCertificateKeySecretRef, default is Undefined, optional + tls certificate key secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0ServiceAccountJSONSecretRef + + tlsCa?: str + + tlsCertificateKeySecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0TLSCertificateKeySecretRef + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0ServiceAccountJSONSecretRef: + r""" + A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlAuroraItems0TLSCertificateKeySecretRef: + r""" + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider mysql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + tlsCertificateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0TLSCertificateKeySecretRef, default is Undefined, optional + tls certificate key secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0ServiceAccountJSONSecretRef + + tlsCa?: str + + tlsCertificateKeySecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0TLSCertificateKeySecretRef + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0ServiceAccountJSONSecretRef: + r""" + A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlItems0TLSCertificateKeySecretRef: + r""" + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider mysql legacy items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + tlsCertificateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0TLSCertificateKeySecretRef, default is Undefined, optional + tls certificate key secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0ServiceAccountJSONSecretRef + + tlsCa?: str + + tlsCertificateKeySecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0TLSCertificateKeySecretRef + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0ServiceAccountJSONSecretRef: + r""" + A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlLegacyItems0TLSCertificateKeySecretRef: + r""" + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider mysql rds items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + tlsCertificateKeySecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0TLSCertificateKeySecretRef, default is Undefined, optional + tls certificate key secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0ServiceAccountJSONSecretRef + + tlsCa?: str + + tlsCertificateKeySecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0TLSCertificateKeySecretRef + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0ServiceAccountJSONSecretRef: + r""" + A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderMysqlRdsItems0TLSCertificateKeySecretRef: + r""" + x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderOracleItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider oracle items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disconnectSessions : bool, default is Undefined, optional + Set to true to disconnect any open sessions prior to running the revocation statements. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderOracleItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + splitStatements : bool, default is Undefined, optional + Set to true in order to split statements after semi-colons. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disconnectSessions?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderOracleItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + splitStatements?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderOracleItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider postgresql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + serviceAccountJsonSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0ServiceAccountJSONSecretRef, default is Undefined, optional + service account Json secret ref + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + serviceAccountJsonSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0ServiceAccountJSONSecretRef + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderPostgresqlItems0ServiceAccountJSONSecretRef: + r""" + A JSON encoded credential for use with IAM authorization + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider redis elasticache items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + region : str, default is Undefined, optional + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + url : str, default is Undefined, optional + The URL for Elasticsearch's API. https requires certificate by trusted CA if used. The configuration endpoint for the ElastiCache cluster to connect to. + usernameSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0UsernameSecretRef, default is Undefined, optional + username secret ref + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + data?: {str:str} + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0PasswordSecretRef + + pluginName?: str + + region?: str + + rootRotationStatements?: [str] + + url?: str + + usernameSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0UsernameSecretRef + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0PasswordSecretRef: + r""" + The password to authenticate with. The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisElasticacheItems0UsernameSecretRef: + r""" + The username to authenticate with. The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider redis items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + caCert : str, default is Undefined, optional + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + host : str, default is Undefined, optional + The host to connect to. Specifies the host to connect to + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisItems0PasswordSecretRef, default is Undefined, required + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Redis. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + caCert?: str + + data?: {str:str} + + host?: str + + insecureTls?: bool + + name?: str + + passwordSecretRef: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisItems0PasswordSecretRef + + pluginName?: str + + port?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedisItems0PasswordSecretRef: + r""" + The password to authenticate with. Specifies the password corresponding to the given username. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedshiftItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider redshift items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedshiftItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedshiftItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderRedshiftItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderSnowflakeItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec for provider snowflake items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + passwordSecretRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderSnowflakeItems0PasswordSecretRef, default is Undefined, optional + password secret ref + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + passwordSecretRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderSnowflakeItems0PasswordSecretRef + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecForProviderSnowflakeItems0PasswordSecretRef: + r""" + The password to authenticate with. The root credential password used in the connection URL + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedManagedKeys : [str], default is Undefined, optional + Set of managed key registry entry names that the mount in question is allowed to access List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + cassandra : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderCassandraItems0], default is Undefined, optional + A nested block containing configuration options for Cassandra connections. See Connection parameters for the cassandra-database-plugin plugin. + couchbase : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderCouchbaseItems0], default is Undefined, optional + A nested block containing configuration options for Couchbase connections. See Connection parameters for the couchbase-database-plugin plugin. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount Human-friendly description of the mount + elasticsearch : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderElasticsearchItems0], default is Undefined, optional + A nested block containing configuration options for Elasticsearch connections. See Connection parameters for the elasticsearch-database-plugin. + externalEntropyAccess : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source Enable the secrets engine to access Vault's external entropy source + hana : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderHanaItems0], default is Undefined, optional + A nested block containing configuration options for SAP HanaDB connections. See Connection parameters for the hana-database-plugin plugin. + influxdb : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderInfluxdbItems0], default is Undefined, optional + A nested block containing configuration options for InfluxDB connections. See Connection parameters for the influxdb-database-plugin plugin. + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds Maximum possible lease duration for tokens and secrets in seconds + mongodb : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMongodbItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB connections. See Connection parameters for the mongodb-database-plugin plugin. + mongodbatlas : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMongodbatlasItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB Atlas connections. See Connection parameters for the mongodbatlas-database-plugin plugin. + mssql : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMssqlItems0], default is Undefined, optional + A nested block containing configuration options for MSSQL connections. See Connection parameters for the mssql-database-plugin plugin. + mysql : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlItems0], default is Undefined, optional + A nested block containing configuration options for MySQL connections. See Connection parameters for the mysql-database-plugin plugin. + mysqlAurora : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlAuroraItems0], default is Undefined, optional + A nested block containing configuration options for Aurora MySQL connections. See Connection parameters for the mysql-aurora-database-plugin plugin. + mysqlLegacy : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlLegacyItems0], default is Undefined, optional + A nested block containing configuration options for legacy MySQL connections. See Connection parameters for the mysql-legacy-database-plugin plugin. + mysqlRds : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlRdsItems0], default is Undefined, optional + A nested block containing configuration options for RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin plugin. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend Specifies mount type specific options that are passed to the backend + oracle : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderOracleItems0], default is Undefined, optional + A nested block containing configuration options for Oracle connections. See Connection parameters for the oracle-database-plugin plugin. + path : str, default is Undefined, optional + Where the secret backend will be mounted Where the secret backend will be mounted + postgresql : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderPostgresqlItems0], default is Undefined, optional + A nested block containing configuration options for PostgreSQL connections. See Connection parameters for the postgresql-database-plugin plugin. + redis : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedisItems0], default is Undefined, optional + A nested block containing configuration options for Redis connections. See Connection parameters for the redis-database-plugin plugin. + redisElasticache : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedisElasticacheItems0], default is Undefined, optional + A nested block containing configuration options for Redis ElastiCache connections. See Connection parameters for the redis-elasticache-database-plugin plugin. + redshift : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedshiftItems0], default is Undefined, optional + A nested block containing configuration options for AWS Redshift connections. See Connection parameters for the redshift-database-plugin plugin. + sealWrap : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + snowflake : [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderSnowflakeItems0], default is Undefined, optional + A nested block containing configuration options for Snowflake connections. See Connection parameters for the snowflake-database-plugin plugin. + """ + + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + cassandra?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderCassandraItems0] + + couchbase?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderCouchbaseItems0] + + defaultLeaseTtlSeconds?: float + + description?: str + + elasticsearch?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderElasticsearchItems0] + + externalEntropyAccess?: bool + + hana?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderHanaItems0] + + influxdb?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderInfluxdbItems0] + + local?: bool + + maxLeaseTtlSeconds?: float + + mongodb?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMongodbItems0] + + mongodbatlas?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMongodbatlasItems0] + + mssql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMssqlItems0] + + mysql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlItems0] + + mysqlAurora?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlAuroraItems0] + + mysqlLegacy?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlLegacyItems0] + + mysqlRds?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlRdsItems0] + + namespace?: str + + options?: {str:str} + + oracle?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderOracleItems0] + + path?: str + + postgresql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderPostgresqlItems0] + + redis?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedisItems0] + + redisElasticache?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedisElasticacheItems0] + + redshift?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedshiftItems0] + + sealWrap?: bool + + snowflake?: [DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderSnowflakeItems0] + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderCassandraItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider cassandra items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + hosts : [str], default is Undefined, optional + The hosts to connect to. Cassandra hosts to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Cassandra. + protocolVersion : float, default is Undefined, optional + The CQL protocol version to use. The CQL protocol version to use. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. + username : str, default is Undefined, optional + The username to authenticate with. The username to use when authenticating with Cassandra. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectTimeout?: float + + data?: {str:str} + + hosts?: [str] + + insecureTls?: bool + + name?: str + + pluginName?: str + + port?: float + + protocolVersion?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderCouchbaseItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider couchbase items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + bucketName : str, default is Undefined, optional + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + hosts : [str], default is Undefined, optional + The hosts to connect to. A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + bucketName?: str + + data?: {str:str} + + hosts?: [str] + + insecureTls?: bool + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderElasticsearchItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider elasticsearch items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + caCert : str, default is Undefined, optional + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity + caPath : str, default is Undefined, optional + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity + clientCert : str, default is Undefined, optional + The path to the certificate for the Elasticsearch client to present for communication. The path to the certificate for the Elasticsearch client to present for communication + clientKey : str, default is Undefined, optional + The path to the key for the Elasticsearch client to use for communication. The path to the key for the Elasticsearch client to use for communication + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + insecure : bool, default is Undefined, optional + Whether to disable certificate verification. Whether to disable certificate verification + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsServerName : str, default is Undefined, optional + This, if set, is used to set the SNI host when connecting via TLS. This, if set, is used to set the SNI host when connecting via TLS + url : str, default is Undefined, optional + The URL for Elasticsearch's API. https requires certificate by trusted CA if used. The URL for Elasticsearch's API + username : str, default is Undefined, optional + The username to authenticate with. The username to be used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + caCert?: str + + caPath?: str + + clientCert?: str + + clientKey?: str + + data?: {str:str} + + insecure?: bool + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsServerName?: str + + url?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderHanaItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider hana items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderInfluxdbItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider influxdb items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + host : str, default is Undefined, optional + The host to connect to. Influxdb host to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Influxdb. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username to use for superuser access. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectTimeout?: float + + data?: {str:str} + + host?: str + + insecureTls?: bool + + name?: str + + pluginName?: str + + port?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMongodbItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider mongodb items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMongodbatlasItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider mongodbatlas items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + projectId : str, default is Undefined, optional + The Project ID the Database User should be created within. The Project ID the Database User should be created within. + publicKey : str, default is Undefined, optional + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + data?: {str:str} + + name?: str + + pluginName?: str + + projectId?: str + + publicKey?: str + + rootRotationStatements?: [str] + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMssqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider mssql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + containedDb : bool, default is Undefined, optional + For Vault v1.9+. Set to true when the target is a Contained Database, e.g. AzureSQL. See Vault docs Set to true when the target is a Contained Database, e.g. AzureSQL. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + containedDb?: bool + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlAuroraItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider mysql aurora items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider mysql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlLegacyItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider mysql legacy items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderMysqlRdsItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider mysql rds items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderOracleItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider oracle items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disconnectSessions : bool, default is Undefined, optional + Set to true to disconnect any open sessions prior to running the revocation statements. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + splitStatements : bool, default is Undefined, optional + Set to true in order to split statements after semi-colons. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disconnectSessions?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + splitStatements?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderPostgresqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider postgresql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedisElasticacheItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider redis elasticache items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + region : str, default is Undefined, optional + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + url : str, default is Undefined, optional + The URL for Elasticsearch's API. https requires certificate by trusted CA if used. The configuration endpoint for the ElastiCache cluster to connect to. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + data?: {str:str} + + name?: str + + pluginName?: str + + region?: str + + rootRotationStatements?: [str] + + url?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedisItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider redis items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + caCert : str, default is Undefined, optional + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + host : str, default is Undefined, optional + The host to connect to. Specifies the host to connect to + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Redis. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + caCert?: str + + data?: {str:str} + + host?: str + + insecureTls?: bool + + name?: str + + pluginName?: str + + port?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderRedshiftItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider redshift items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecInitProviderSnowflakeItems0: + r""" + database vault upbound io v1alpha1 secrets mount spec init provider snowflake items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderConfigRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToConfigRef + + metadata?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToMetadata + + name: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToConfigRefPolicy + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatus: + r""" + SecretsMountStatus defines the observed state of SecretsMount. + + Attributes + ---------- + atProvider : DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProvider, default is Undefined, optional + at provider + conditions : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProvider + + conditions?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusConditionsItems0] + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProvider: + r""" + database vault upbound io v1alpha1 secrets mount status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + Accessor of the mount + allowedManagedKeys : [str], default is Undefined, optional + Set of managed key registry entry names that the mount in question is allowed to access List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + cassandra : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderCassandraItems0], default is Undefined, optional + A nested block containing configuration options for Cassandra connections. See Connection parameters for the cassandra-database-plugin plugin. + couchbase : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderCouchbaseItems0], default is Undefined, optional + A nested block containing configuration options for Couchbase connections. See Connection parameters for the couchbase-database-plugin plugin. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount Human-friendly description of the mount + elasticsearch : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderElasticsearchItems0], default is Undefined, optional + A nested block containing configuration options for Elasticsearch connections. See Connection parameters for the elasticsearch-database-plugin. + engineCount : float, default is Undefined, optional + The total number of database secrets engines configured. Total number of database secret engines configured under the mount. + externalEntropyAccess : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source Enable the secrets engine to access Vault's external entropy source + hana : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderHanaItems0], default is Undefined, optional + A nested block containing configuration options for SAP HanaDB connections. See Connection parameters for the hana-database-plugin plugin. + id : str, default is Undefined, optional + id + influxdb : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderInfluxdbItems0], default is Undefined, optional + A nested block containing configuration options for InfluxDB connections. See Connection parameters for the influxdb-database-plugin plugin. + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds Maximum possible lease duration for tokens and secrets in seconds + mongodb : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMongodbItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB connections. See Connection parameters for the mongodb-database-plugin plugin. + mongodbatlas : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMongodbatlasItems0], default is Undefined, optional + A nested block containing configuration options for MongoDB Atlas connections. See Connection parameters for the mongodbatlas-database-plugin plugin. + mssql : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMssqlItems0], default is Undefined, optional + A nested block containing configuration options for MSSQL connections. See Connection parameters for the mssql-database-plugin plugin. + mysql : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlItems0], default is Undefined, optional + A nested block containing configuration options for MySQL connections. See Connection parameters for the mysql-database-plugin plugin. + mysqlAurora : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlAuroraItems0], default is Undefined, optional + A nested block containing configuration options for Aurora MySQL connections. See Connection parameters for the mysql-aurora-database-plugin plugin. + mysqlLegacy : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlLegacyItems0], default is Undefined, optional + A nested block containing configuration options for legacy MySQL connections. See Connection parameters for the mysql-legacy-database-plugin plugin. + mysqlRds : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlRdsItems0], default is Undefined, optional + A nested block containing configuration options for RDS MySQL connections. See Connection parameters for the mysql-rds-database-plugin plugin. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend Specifies mount type specific options that are passed to the backend + oracle : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderOracleItems0], default is Undefined, optional + A nested block containing configuration options for Oracle connections. See Connection parameters for the oracle-database-plugin plugin. + path : str, default is Undefined, optional + Where the secret backend will be mounted Where the secret backend will be mounted + postgresql : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderPostgresqlItems0], default is Undefined, optional + A nested block containing configuration options for PostgreSQL connections. See Connection parameters for the postgresql-database-plugin plugin. + redis : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedisItems0], default is Undefined, optional + A nested block containing configuration options for Redis connections. See Connection parameters for the redis-database-plugin plugin. + redisElasticache : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedisElasticacheItems0], default is Undefined, optional + A nested block containing configuration options for Redis ElastiCache connections. See Connection parameters for the redis-elasticache-database-plugin plugin. + redshift : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedshiftItems0], default is Undefined, optional + A nested block containing configuration options for AWS Redshift connections. See Connection parameters for the redshift-database-plugin plugin. + sealWrap : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + snowflake : [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderSnowflakeItems0], default is Undefined, optional + A nested block containing configuration options for Snowflake connections. See Connection parameters for the snowflake-database-plugin plugin. + """ + + + accessor?: str + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + cassandra?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderCassandraItems0] + + couchbase?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderCouchbaseItems0] + + defaultLeaseTtlSeconds?: float + + description?: str + + elasticsearch?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderElasticsearchItems0] + + engineCount?: float + + externalEntropyAccess?: bool + + hana?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderHanaItems0] + + id?: str + + influxdb?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderInfluxdbItems0] + + local?: bool + + maxLeaseTtlSeconds?: float + + mongodb?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMongodbItems0] + + mongodbatlas?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMongodbatlasItems0] + + mssql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMssqlItems0] + + mysql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlItems0] + + mysqlAurora?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlAuroraItems0] + + mysqlLegacy?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlLegacyItems0] + + mysqlRds?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlRdsItems0] + + namespace?: str + + options?: {str:str} + + oracle?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderOracleItems0] + + path?: str + + postgresql?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderPostgresqlItems0] + + redis?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedisItems0] + + redisElasticache?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedisElasticacheItems0] + + redshift?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedshiftItems0] + + sealWrap?: bool + + snowflake?: [DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderSnowflakeItems0] + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderCassandraItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider cassandra items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + hosts : [str], default is Undefined, optional + The hosts to connect to. Cassandra hosts to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Cassandra. + protocolVersion : float, default is Undefined, optional + The CQL protocol version to use. The CQL protocol version to use. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Cassandra. + username : str, default is Undefined, optional + The username to authenticate with. The username to use when authenticating with Cassandra. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectTimeout?: float + + data?: {str:str} + + hosts?: [str] + + insecureTls?: bool + + name?: str + + pluginName?: str + + port?: float + + protocolVersion?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderCouchbaseItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider couchbase items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + bucketName : str, default is Undefined, optional + Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + hosts : [str], default is Undefined, optional + The hosts to connect to. A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Couchbase. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + bucketName?: str + + data?: {str:str} + + hosts?: [str] + + insecureTls?: bool + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderElasticsearchItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider elasticsearch items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + caCert : str, default is Undefined, optional + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity + caPath : str, default is Undefined, optional + The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity. The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity + clientCert : str, default is Undefined, optional + The path to the certificate for the Elasticsearch client to present for communication. The path to the certificate for the Elasticsearch client to present for communication + clientKey : str, default is Undefined, optional + The path to the key for the Elasticsearch client to use for communication. The path to the key for the Elasticsearch client to use for communication + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + insecure : bool, default is Undefined, optional + Whether to disable certificate verification. Whether to disable certificate verification + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsServerName : str, default is Undefined, optional + This, if set, is used to set the SNI host when connecting via TLS. This, if set, is used to set the SNI host when connecting via TLS + url : str, default is Undefined, optional + The URL for Elasticsearch's API. https requires certificate by trusted CA if used. The URL for Elasticsearch's API + username : str, default is Undefined, optional + The username to authenticate with. The username to be used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + caCert?: str + + caPath?: str + + clientCert?: str + + clientKey?: str + + data?: {str:str} + + insecure?: bool + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsServerName?: str + + url?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderHanaItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider hana items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderInfluxdbItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider influxdb items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectTimeout : float, default is Undefined, optional + The number of seconds to use as a connection timeout. The number of seconds to use as a connection timeout. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + host : str, default is Undefined, optional + The host to connect to. Influxdb host to connect to. + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Influxdb. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Whether to use TLS when connecting to Influxdb. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username to use for superuser access. + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectTimeout?: float + + data?: {str:str} + + host?: str + + insecureTls?: bool + + name?: str + + pluginName?: str + + port?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMongodbItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider mongodb items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMongodbatlasItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider mongodbatlas items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + projectId : str, default is Undefined, optional + The Project ID the Database User should be created within. The Project ID the Database User should be created within. + publicKey : str, default is Undefined, optional + The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + data?: {str:str} + + name?: str + + pluginName?: str + + projectId?: str + + publicKey?: str + + rootRotationStatements?: [str] + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMssqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider mssql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + containedDb : bool, default is Undefined, optional + For Vault v1.9+. Set to true when the target is a Contained Database, e.g. AzureSQL. See Vault docs Set to true when the target is a Contained Database, e.g. AzureSQL. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + containedDb?: bool + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlAuroraItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider mysql aurora items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider mysql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlLegacyItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider mysql legacy items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderMysqlRdsItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider mysql rds items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tlsCa : str, default is Undefined, optional + x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + tlsCa?: str + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderOracleItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider oracle items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disconnectSessions : bool, default is Undefined, optional + Set to true to disconnect any open sessions prior to running the revocation statements. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + splitStatements : bool, default is Undefined, optional + Set to true in order to split statements after semi-colons. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disconnectSessions?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + splitStatements?: bool + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderPostgresqlItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider postgresql items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + authType : str, default is Undefined, optional + Specify alternative authorization type. (Only 'gcp_iam' is valid currently) + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + authType?: str + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedisElasticacheItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider redis elasticache items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + region : str, default is Undefined, optional + The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + url : str, default is Undefined, optional + The URL for Elasticsearch's API. https requires certificate by trusted CA if used. The configuration endpoint for the ElastiCache cluster to connect to. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + data?: {str:str} + + name?: str + + pluginName?: str + + region?: str + + rootRotationStatements?: [str] + + url?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedisItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider redis items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + caCert : str, default is Undefined, optional + The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity. The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + host : str, default is Undefined, optional + The host to connect to. Specifies the host to connect to + insecureTls : bool, default is Undefined, optional + Whether to skip verification of the server certificate when using TLS. Specifies whether to skip verification of the server certificate when using TLS. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + port : float, default is Undefined, optional + The default port to connect to if no port is specified as part of the host. The transport port to use to connect to Redis. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + tls : bool, default is Undefined, optional + Whether to use TLS when connecting to Cassandra. Specifies whether to use TLS when connecting to Redis. + username : str, default is Undefined, optional + The username to authenticate with. Specifies the username for Vault to use. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + caCert?: str + + data?: {str:str} + + host?: str + + insecureTls?: bool + + name?: str + + pluginName?: str + + port?: float + + rootRotationStatements?: [str] + + tls?: bool + + username?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderRedshiftItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider redshift items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + disableEscaping : bool, default is Undefined, optional + Disable special character escaping in username and password. Disable special character escaping in username and password + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + disableEscaping?: bool + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusAtProviderSnowflakeItems0: + r""" + database vault upbound io v1alpha1 secrets mount status at provider snowflake items0 + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + A list of roles that are allowed to use this connection. A list of roles that are allowed to use this connection. + connectionUrl : str, default is Undefined, optional + A URL containing connection information. See Vault docs Connection string to use to connect to the database. + data : {str:str}, default is Undefined, optional + A map of sensitive data to pass to the endpoint. Useful for templated connection strings. A map of sensitive data to pass to the endpoint. Useful for templated connection strings. + maxConnectionLifetime : float, default is Undefined, optional + The maximum number of seconds to keep a connection alive for. Maximum number of seconds a connection may be reused. + maxIdleConnections : float, default is Undefined, optional + The maximum number of idle connections to maintain. Maximum number of idle connections to the database. + maxOpenConnections : float, default is Undefined, optional + The maximum number of open connections to use. Maximum number of open connections to the database. + name : str, default is Undefined, optional + for any configured database engine is changed Name of the database connection. + pluginName : str, default is Undefined, optional + Specifies the name of the plugin to use. Specifies the name of the plugin to use for this connection. Must be prefixed with the name of one of the supported database engine types. + rootRotationStatements : [str], default is Undefined, optional + A list of database statements to be executed to rotate the root user's credentials. A list of database statements to be executed to rotate the root user's credentials. + username : str, default is Undefined, optional + The username to authenticate with. The root credential username used in the connection URL + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Username generation template. + verifyConnection : bool, default is Undefined, optional + Whether the connection should be verified on initial configuration or not. Specifies if the connection is verified during initial configuration. + """ + + + allowedRoles?: [str] + + connectionUrl?: str + + data?: {str:str} + + maxConnectionLifetime?: float + + maxIdleConnections?: float + + maxOpenConnections?: float + + name?: str + + pluginName?: str + + rootRotationStatements?: [str] + + username?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema DatabaseVaultUpboundIoV1alpha1SecretsMountStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/egp/v1alpha1/egp_vault_upbound_io_v1alpha1_policy.k b/crossplane-provider-vault/egp/v1alpha1/egp_vault_upbound_io_v1alpha1_policy.k new file mode 100644 index 00000000..629bd950 --- /dev/null +++ b/crossplane-provider-vault/egp/v1alpha1/egp_vault_upbound_io_v1alpha1_policy.k @@ -0,0 +1,391 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Policy: + r""" + Policy is the Schema for the Policys API. Writes Sentinel endpoint governing policies for Vault + + Attributes + ---------- + apiVersion : str, default is "egp.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Policy", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : EgpVaultUpboundIoV1alpha1PolicySpec, default is Undefined, required + spec + status : EgpVaultUpboundIoV1alpha1PolicyStatus, default is Undefined, optional + status + """ + + + apiVersion: "egp.vault.upbound.io/v1alpha1" = "egp.vault.upbound.io/v1alpha1" + + kind: "Policy" = "Policy" + + metadata?: v1.ObjectMeta + + spec: EgpVaultUpboundIoV1alpha1PolicySpec + + status?: EgpVaultUpboundIoV1alpha1PolicyStatus + + +schema EgpVaultUpboundIoV1alpha1PolicySpec: + r""" + PolicySpec defines the desired state of Policy + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : EgpVaultUpboundIoV1alpha1PolicySpecForProvider, default is Undefined, required + for provider + initProvider : EgpVaultUpboundIoV1alpha1PolicySpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : EgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : EgpVaultUpboundIoV1alpha1PolicySpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : EgpVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: EgpVaultUpboundIoV1alpha1PolicySpecForProvider + + initProvider?: EgpVaultUpboundIoV1alpha1PolicySpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: EgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRef + + providerRef?: EgpVaultUpboundIoV1alpha1PolicySpecProviderRef + + publishConnectionDetailsTo?: EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: EgpVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef + + +schema EgpVaultUpboundIoV1alpha1PolicySpecForProvider: + r""" + egp vault upbound io v1alpha1 policy spec for provider + + Attributes + ---------- + enforcementLevel : str, default is Undefined, optional + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + paths : [str], default is Undefined, optional + List of paths to which the policy will be applied to List of paths to which the policy will be applied + policy : str, default is Undefined, optional + String containing a Sentinel policy The policy document + """ + + + enforcementLevel?: str + + name?: str + + namespace?: str + + paths?: [str] + + policy?: str + + +schema EgpVaultUpboundIoV1alpha1PolicySpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + enforcementLevel : str, default is Undefined, optional + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + paths : [str], default is Undefined, optional + List of paths to which the policy will be applied to List of paths to which the policy will be applied + policy : str, default is Undefined, optional + String containing a Sentinel policy The policy document + """ + + + enforcementLevel?: str + + name?: str + + namespace?: str + + paths?: [str] + + policy?: str + + +schema EgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : EgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: EgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy + + +schema EgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema EgpVaultUpboundIoV1alpha1PolicySpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : EgpVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: EgpVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy + + +schema EgpVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef + + metadata?: EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata + + name: str + + +schema EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy + + +schema EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema EgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema EgpVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema EgpVaultUpboundIoV1alpha1PolicyStatus: + r""" + PolicyStatus defines the observed state of Policy. + + Attributes + ---------- + atProvider : EgpVaultUpboundIoV1alpha1PolicyStatusAtProvider, default is Undefined, optional + at provider + conditions : [EgpVaultUpboundIoV1alpha1PolicyStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: EgpVaultUpboundIoV1alpha1PolicyStatusAtProvider + + conditions?: [EgpVaultUpboundIoV1alpha1PolicyStatusConditionsItems0] + + +schema EgpVaultUpboundIoV1alpha1PolicyStatusAtProvider: + r""" + egp vault upbound io v1alpha1 policy status at provider + + Attributes + ---------- + enforcementLevel : str, default is Undefined, optional + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + paths : [str], default is Undefined, optional + List of paths to which the policy will be applied to List of paths to which the policy will be applied + policy : str, default is Undefined, optional + String containing a Sentinel policy The policy document + """ + + + enforcementLevel?: str + + id?: str + + name?: str + + namespace?: str + + paths?: [str] + + policy?: str + + +schema EgpVaultUpboundIoV1alpha1PolicyStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_auth_backend.k b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_auth_backend.k new file mode 100644 index 00000000..476f9309 --- /dev/null +++ b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_auth_backend.k @@ -0,0 +1,697 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackend: + r""" + AuthBackend is the Schema for the AuthBackends API. + + Attributes + ---------- + apiVersion : str, default is "gcp.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GcpVaultUpboundIoV1alpha1AuthBackendSpec, default is Undefined, required + spec + status : GcpVaultUpboundIoV1alpha1AuthBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "gcp.vault.upbound.io/v1alpha1" = "gcp.vault.upbound.io/v1alpha1" + + kind: "AuthBackend" = "AuthBackend" + + metadata?: v1.ObjectMeta + + spec: GcpVaultUpboundIoV1alpha1AuthBackendSpec + + status?: GcpVaultUpboundIoV1alpha1AuthBackendStatus + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpec: + r""" + AuthBackendSpec defines the desired state of AuthBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GcpVaultUpboundIoV1alpha1AuthBackendSpecForProvider, default is Undefined, required + for provider + initProvider : GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GcpVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GcpVaultUpboundIoV1alpha1AuthBackendSpecForProvider + + initProvider?: GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef + + providerRef?: GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderRef + + publishConnectionDetailsTo?: GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GcpVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecForProvider: + r""" + gcp vault upbound io v1alpha1 auth backend spec for provider + + Attributes + ---------- + clientEmail : str, default is Undefined, optional + client email + clientId : str, default is Undefined, optional + client Id + credentialsSecretRef : GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderCredentialsSecretRef, default is Undefined, optional + credentials secret ref + customEndpoint : [GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderCustomEndpointItems0], default is Undefined, optional + Specifies overrides to service endpoints used when making API requests to GCP. + description : str, default is Undefined, optional + description + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Specifies if the auth method is local only + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path + privateKeyId : str, default is Undefined, optional + private key Id + projectId : str, default is Undefined, optional + project Id + tune : [GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0], default is Undefined, optional + tune + """ + + + clientEmail?: str + + clientId?: str + + credentialsSecretRef?: GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderCredentialsSecretRef + + customEndpoint?: [GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderCustomEndpointItems0] + + description?: str + + disableRemount?: bool + + local?: bool + + namespace?: str + + path?: str + + privateKeyId?: str + + projectId?: str + + tune?: [GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0] + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderCredentialsSecretRef: + r""" + A SecretKeySelector is a reference to a secret key in an arbitrary namespace. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderCustomEndpointItems0: + r""" + gcp vault upbound io v1alpha1 auth backend spec for provider custom endpoint items0 + + Attributes + ---------- + api : str, default is Undefined, optional + Replaces the service endpoint used in API requests to https://www.googleapis.com. + compute : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://compute.googleapis.com`. + crm : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`. + iam : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://iam.googleapis.com`. + """ + + + api?: str + + compute?: str + + crm?: str + + iam?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0: + r""" + gcp vault upbound io v1alpha1 auth backend spec for provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + allowed response headers + auditNonHmacRequestKeys : [str], default is Undefined, optional + audit non hmac request keys + auditNonHmacResponseKeys : [str], default is Undefined, optional + audit non hmac response keys + defaultLeaseTtl : str, default is Undefined, optional + default lease Ttl + listingVisibility : str, default is Undefined, optional + listing visibility + maxLeaseTtl : str, default is Undefined, optional + max lease Ttl + passthroughRequestHeaders : [str], default is Undefined, optional + passthrough request headers + tokenType : str, default is Undefined, optional + token type + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + clientEmail : str, default is Undefined, optional + client email + clientId : str, default is Undefined, optional + client Id + customEndpoint : [GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProviderCustomEndpointItems0], default is Undefined, optional + Specifies overrides to service endpoints used when making API requests to GCP. + description : str, default is Undefined, optional + description + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Specifies if the auth method is local only + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path + privateKeyId : str, default is Undefined, optional + private key Id + projectId : str, default is Undefined, optional + project Id + tune : [GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0], default is Undefined, optional + tune + """ + + + clientEmail?: str + + clientId?: str + + customEndpoint?: [GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProviderCustomEndpointItems0] + + description?: str + + disableRemount?: bool + + local?: bool + + namespace?: str + + path?: str + + privateKeyId?: str + + projectId?: str + + tune?: [GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0] + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProviderCustomEndpointItems0: + r""" + gcp vault upbound io v1alpha1 auth backend spec init provider custom endpoint items0 + + Attributes + ---------- + api : str, default is Undefined, optional + Replaces the service endpoint used in API requests to https://www.googleapis.com. + compute : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://compute.googleapis.com`. + crm : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`. + iam : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://iam.googleapis.com`. + """ + + + api?: str + + compute?: str + + crm?: str + + iam?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0: + r""" + gcp vault upbound io v1alpha1 auth backend spec init provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + allowed response headers + auditNonHmacRequestKeys : [str], default is Undefined, optional + audit non hmac request keys + auditNonHmacResponseKeys : [str], default is Undefined, optional + audit non hmac response keys + defaultLeaseTtl : str, default is Undefined, optional + default lease Ttl + listingVisibility : str, default is Undefined, optional + listing visibility + maxLeaseTtl : str, default is Undefined, optional + max lease Ttl + passthroughRequestHeaders : [str], default is Undefined, optional + passthrough request headers + tokenType : str, default is Undefined, optional + token type + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendStatus: + r""" + AuthBackendStatus defines the observed state of AuthBackend. + + Attributes + ---------- + atProvider : GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [GcpVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProvider + + conditions?: [GcpVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0] + + +schema GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProvider: + r""" + gcp vault upbound io v1alpha1 auth backend status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The accessor of the auth backend + clientEmail : str, default is Undefined, optional + client email + clientId : str, default is Undefined, optional + client Id + customEndpoint : [GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProviderCustomEndpointItems0], default is Undefined, optional + Specifies overrides to service endpoints used when making API requests to GCP. + description : str, default is Undefined, optional + description + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + local : bool, default is Undefined, optional + Specifies if the auth method is local only + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path + privateKeyId : str, default is Undefined, optional + private key Id + projectId : str, default is Undefined, optional + project Id + tune : [GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0], default is Undefined, optional + tune + """ + + + accessor?: str + + clientEmail?: str + + clientId?: str + + customEndpoint?: [GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProviderCustomEndpointItems0] + + description?: str + + disableRemount?: bool + + id?: str + + local?: bool + + namespace?: str + + path?: str + + privateKeyId?: str + + projectId?: str + + tune?: [GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0] + + +schema GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProviderCustomEndpointItems0: + r""" + gcp vault upbound io v1alpha1 auth backend status at provider custom endpoint items0 + + Attributes + ---------- + api : str, default is Undefined, optional + Replaces the service endpoint used in API requests to https://www.googleapis.com. + compute : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://compute.googleapis.com`. + crm : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`. + iam : str, default is Undefined, optional + Replaces the service endpoint used in API requests to `https://iam.googleapis.com`. + """ + + + api?: str + + compute?: str + + crm?: str + + iam?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0: + r""" + gcp vault upbound io v1alpha1 auth backend status at provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + allowed response headers + auditNonHmacRequestKeys : [str], default is Undefined, optional + audit non hmac request keys + auditNonHmacResponseKeys : [str], default is Undefined, optional + audit non hmac response keys + defaultLeaseTtl : str, default is Undefined, optional + default lease Ttl + listingVisibility : str, default is Undefined, optional + listing visibility + maxLeaseTtl : str, default is Undefined, optional + max lease Ttl + passthroughRequestHeaders : [str], default is Undefined, optional + passthrough request headers + tokenType : str, default is Undefined, optional + token type + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..d19d1055 --- /dev/null +++ b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,595 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. Managing roles in an GCP auth backend in Vault + + Attributes + ---------- + apiVersion : str, default is "gcp.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : GcpVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "gcp.vault.upbound.io/v1alpha1" = "gcp.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: GcpVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + gcp vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + addGroupAliases : bool, default is Undefined, optional + add group aliases + allowGceInference : bool, default is Undefined, optional + A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token. + backend : str, default is Undefined, optional + Path to the mounted GCP auth backend + boundInstanceGroups : [str], default is Undefined, optional + The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too. + boundLabels : [str], default is Undefined, optional + A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions. + boundProjects : [str], default is Undefined, optional + An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. + boundRegions : [str], default is Undefined, optional + The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored. + boundServiceAccounts : [str], default is Undefined, optional + GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam) + boundZones : [str], default is Undefined, optional + The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone. + maxJwtExp : str, default is Undefined, optional + The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + Name of the GCP role + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + $type : str, default is Undefined, optional + Type of GCP authentication role (either gce or iam) + """ + + + addGroupAliases?: bool + + allowGceInference?: bool + + backend?: str + + boundInstanceGroups?: [str] + + boundLabels?: [str] + + boundProjects?: [str] + + boundRegions?: [str] + + boundServiceAccounts?: [str] + + boundZones?: [str] + + maxJwtExp?: str + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + addGroupAliases : bool, default is Undefined, optional + add group aliases + allowGceInference : bool, default is Undefined, optional + A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token. + backend : str, default is Undefined, optional + Path to the mounted GCP auth backend + boundInstanceGroups : [str], default is Undefined, optional + The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too. + boundLabels : [str], default is Undefined, optional + A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions. + boundProjects : [str], default is Undefined, optional + An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. + boundRegions : [str], default is Undefined, optional + The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored. + boundServiceAccounts : [str], default is Undefined, optional + GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam) + boundZones : [str], default is Undefined, optional + The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone. + maxJwtExp : str, default is Undefined, optional + The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + Name of the GCP role + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + $type : str, default is Undefined, optional + Type of GCP authentication role (either gce or iam) + """ + + + addGroupAliases?: bool + + allowGceInference?: bool + + backend?: str + + boundInstanceGroups?: [str] + + boundLabels?: [str] + + boundProjects?: [str] + + boundRegions?: [str] + + boundServiceAccounts?: [str] + + boundZones?: [str] + + maxJwtExp?: str + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : GcpVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [GcpVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GcpVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [GcpVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + gcp vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + addGroupAliases : bool, default is Undefined, optional + add group aliases + allowGceInference : bool, default is Undefined, optional + A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token. + backend : str, default is Undefined, optional + Path to the mounted GCP auth backend + boundInstanceGroups : [str], default is Undefined, optional + The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too. + boundLabels : [str], default is Undefined, optional + A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions. + boundProjects : [str], default is Undefined, optional + An array of GCP project IDs. Only entities belonging to this project can authenticate under the role. + boundRegions : [str], default is Undefined, optional + The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored. + boundServiceAccounts : [str], default is Undefined, optional + GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam) + boundZones : [str], default is Undefined, optional + The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone. + id : str, default is Undefined, optional + id + maxJwtExp : str, default is Undefined, optional + The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + Name of the GCP role + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + $type : str, default is Undefined, optional + Type of GCP authentication role (either gce or iam) + """ + + + addGroupAliases?: bool + + allowGceInference?: bool + + backend?: str + + boundInstanceGroups?: [str] + + boundLabels?: [str] + + boundProjects?: [str] + + boundRegions?: [str] + + boundServiceAccounts?: [str] + + boundZones?: [str] + + id?: str + + maxJwtExp?: str + + namespace?: str + + role?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..e22280b6 --- /dev/null +++ b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,441 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates an GCP secret backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "gcp.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GcpVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : GcpVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "gcp.vault.upbound.io/v1alpha1" = "gcp.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: GcpVaultUpboundIoV1alpha1SecretBackendSpec + + status?: GcpVaultUpboundIoV1alpha1SecretBackendStatus + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GcpVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : GcpVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GcpVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GcpVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: GcpVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GcpVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + gcp vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + credentialsSecretRef : GcpVaultUpboundIoV1alpha1SecretBackendSpecForProviderCredentialsSecretRef, default is Undefined, optional + credentials secret ref + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Defaults to '0'. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Defaults to '0'. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp. Path to mount the backend at. + """ + + + credentialsSecretRef?: GcpVaultUpboundIoV1alpha1SecretBackendSpecForProviderCredentialsSecretRef + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecForProviderCredentialsSecretRef: + r""" + The GCP service account credentials in JSON format. JSON-encoded credentials to use to connect to GCP + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Defaults to '0'. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Defaults to '0'. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp. Path to mount the backend at. + """ + + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GcpVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : GcpVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [GcpVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GcpVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [GcpVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema GcpVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + gcp vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Defaults to '0'. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Defaults to '0'. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp. Path to mount the backend at. + """ + + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + id?: str + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + path?: str + + +schema GcpVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_impersonated_account.k b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_impersonated_account.k new file mode 100644 index 00000000..699673d3 --- /dev/null +++ b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_impersonated_account.k @@ -0,0 +1,395 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretImpersonatedAccount: + r""" + SecretImpersonatedAccount is the Schema for the SecretImpersonatedAccounts API. Creates a Impersonated Account for the GCP Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "gcp.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretImpersonatedAccount", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpec, default is Undefined, required + spec + status : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatus, default is Undefined, optional + status + """ + + + apiVersion: "gcp.vault.upbound.io/v1alpha1" = "gcp.vault.upbound.io/v1alpha1" + + kind: "SecretImpersonatedAccount" = "SecretImpersonatedAccount" + + metadata?: v1.ObjectMeta + + spec: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpec + + status?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatus + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpec: + r""" + SecretImpersonatedAccountSpec defines the desired state of SecretImpersonatedAccount + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecForProvider, default is Undefined, required + for provider + initProvider : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecForProvider + + initProvider?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderConfigRef + + providerRef?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderRef + + publishConnectionDetailsTo?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecWriteConnectionSecretToRef + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecForProvider: + r""" + gcp vault upbound io v1alpha1 secret impersonated account spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + impersonatedAccount : str, default is Undefined, optional + Name of the Impersonated Account to create Name of the Impersonated Account to create + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + serviceAccountEmail : str, default is Undefined, optional + Email of the GCP service account to impersonate. Email of the GCP service account. + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access tokens generated under this impersonated account. List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) + """ + + + backend?: str + + impersonatedAccount?: str + + namespace?: str + + serviceAccountEmail?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + impersonatedAccount : str, default is Undefined, optional + Name of the Impersonated Account to create Name of the Impersonated Account to create + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + serviceAccountEmail : str, default is Undefined, optional + Email of the GCP service account to impersonate. Email of the GCP service account. + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access tokens generated under this impersonated account. List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) + """ + + + backend?: str + + impersonatedAccount?: str + + namespace?: str + + serviceAccountEmail?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToConfigRef + + metadata?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatus: + r""" + SecretImpersonatedAccountStatus defines the observed state of SecretImpersonatedAccount. + + Attributes + ---------- + atProvider : GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatusAtProvider, default is Undefined, optional + at provider + conditions : [GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatusAtProvider + + conditions?: [GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatusConditionsItems0] + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatusAtProvider: + r""" + gcp vault upbound io v1alpha1 secret impersonated account status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + id : str, default is Undefined, optional + id + impersonatedAccount : str, default is Undefined, optional + Name of the Impersonated Account to create Name of the Impersonated Account to create + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + serviceAccountEmail : str, default is Undefined, optional + Email of the GCP service account to impersonate. Email of the GCP service account. + serviceAccountProject : str, default is Undefined, optional + Project the service account belongs to. Project of the GCP Service Account managed by this impersonated account + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access tokens generated under this impersonated account. List of OAuth scopes to assign to `access_token` secrets generated under this impersonated account (`access_token` impersonated accounts only) + """ + + + backend?: str + + id?: str + + impersonatedAccount?: str + + namespace?: str + + serviceAccountEmail?: str + + serviceAccountProject?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretImpersonatedAccountStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_roleset.k b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_roleset.k new file mode 100644 index 00000000..40c4116e --- /dev/null +++ b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_roleset.k @@ -0,0 +1,473 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretRoleset: + r""" + SecretRoleset is the Schema for the SecretRolesets API. Creates a Roleset for the GCP Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "gcp.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretRoleset", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GcpVaultUpboundIoV1alpha1SecretRolesetSpec, default is Undefined, required + spec + status : GcpVaultUpboundIoV1alpha1SecretRolesetStatus, default is Undefined, optional + status + """ + + + apiVersion: "gcp.vault.upbound.io/v1alpha1" = "gcp.vault.upbound.io/v1alpha1" + + kind: "SecretRoleset" = "SecretRoleset" + + metadata?: v1.ObjectMeta + + spec: GcpVaultUpboundIoV1alpha1SecretRolesetSpec + + status?: GcpVaultUpboundIoV1alpha1SecretRolesetStatus + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpec: + r""" + SecretRolesetSpec defines the desired state of SecretRoleset + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GcpVaultUpboundIoV1alpha1SecretRolesetSpecForProvider, default is Undefined, required + for provider + initProvider : GcpVaultUpboundIoV1alpha1SecretRolesetSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GcpVaultUpboundIoV1alpha1SecretRolesetSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GcpVaultUpboundIoV1alpha1SecretRolesetSpecForProvider + + initProvider?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderConfigRef + + providerRef?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderRef + + publishConnectionDetailsTo?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecWriteConnectionSecretToRef + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecForProvider: + r""" + gcp vault upbound io v1alpha1 secret roleset spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + binding : [GcpVaultUpboundIoV1alpha1SecretRolesetSpecForProviderBindingItems0], default is Undefined, optional + Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + project : str, default is Undefined, optional + Name of the GCP project that this roleset's service account will belong to. Name of the GCP project that this roleset's service account will belong to. + roleset : str, default is Undefined, optional + Name of the Roleset to create Name of the RoleSet to create + secretType : str, default is Undefined, optional + Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token. Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) + """ + + + backend?: str + + binding?: [GcpVaultUpboundIoV1alpha1SecretRolesetSpecForProviderBindingItems0] + + namespace?: str + + project?: str + + roleset?: str + + secretType?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecForProviderBindingItems0: + r""" + gcp vault upbound io v1alpha1 secret roleset spec for provider binding items0 + + Attributes + ---------- + resource : str, default is Undefined, optional + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. Resource name + roles : [str], default is Undefined, optional + List of GCP IAM roles for the resource. List of roles to apply to the resource + """ + + + resource?: str + + roles?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + binding : [GcpVaultUpboundIoV1alpha1SecretRolesetSpecInitProviderBindingItems0], default is Undefined, optional + Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + project : str, default is Undefined, optional + Name of the GCP project that this roleset's service account will belong to. Name of the GCP project that this roleset's service account will belong to. + roleset : str, default is Undefined, optional + Name of the Roleset to create Name of the RoleSet to create + secretType : str, default is Undefined, optional + Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token. Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) + """ + + + backend?: str + + binding?: [GcpVaultUpboundIoV1alpha1SecretRolesetSpecInitProviderBindingItems0] + + namespace?: str + + project?: str + + roleset?: str + + secretType?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecInitProviderBindingItems0: + r""" + gcp vault upbound io v1alpha1 secret roleset spec init provider binding items0 + + Attributes + ---------- + resource : str, default is Undefined, optional + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. Resource name + roles : [str], default is Undefined, optional + List of GCP IAM roles for the resource. List of roles to apply to the resource + """ + + + resource?: str + + roles?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToConfigRef + + metadata?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetStatus: + r""" + SecretRolesetStatus defines the observed state of SecretRoleset. + + Attributes + ---------- + atProvider : GcpVaultUpboundIoV1alpha1SecretRolesetStatusAtProvider, default is Undefined, optional + at provider + conditions : [GcpVaultUpboundIoV1alpha1SecretRolesetStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GcpVaultUpboundIoV1alpha1SecretRolesetStatusAtProvider + + conditions?: [GcpVaultUpboundIoV1alpha1SecretRolesetStatusConditionsItems0] + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetStatusAtProvider: + r""" + gcp vault upbound io v1alpha1 secret roleset status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + binding : [GcpVaultUpboundIoV1alpha1SecretRolesetStatusAtProviderBindingItems0], default is Undefined, optional + Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + project : str, default is Undefined, optional + Name of the GCP project that this roleset's service account will belong to. Name of the GCP project that this roleset's service account will belong to. + roleset : str, default is Undefined, optional + Name of the Roleset to create Name of the RoleSet to create + secretType : str, default is Undefined, optional + Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token. Type of secret generated for this role set. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` + serviceAccountEmail : str, default is Undefined, optional + Email of the service account created by Vault for this Roleset. Email of the service account created by Vault for this Roleset + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only). List of OAuth scopes to assign to `access_token` secrets generated under this role set (`access_token` role sets only) + """ + + + backend?: str + + binding?: [GcpVaultUpboundIoV1alpha1SecretRolesetStatusAtProviderBindingItems0] + + id?: str + + namespace?: str + + project?: str + + roleset?: str + + secretType?: str + + serviceAccountEmail?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetStatusAtProviderBindingItems0: + r""" + gcp vault upbound io v1alpha1 secret roleset status at provider binding items0 + + Attributes + ---------- + resource : str, default is Undefined, optional + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. Resource name + roles : [str], default is Undefined, optional + List of GCP IAM roles for the resource. List of roles to apply to the resource + """ + + + resource?: str + + roles?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretRolesetStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_static_account.k b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_static_account.k new file mode 100644 index 00000000..4f7a0ef3 --- /dev/null +++ b/crossplane-provider-vault/gcp/v1alpha1/gcp_vault_upbound_io_v1alpha1_secret_static_account.k @@ -0,0 +1,473 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretStaticAccount: + r""" + SecretStaticAccount is the Schema for the SecretStaticAccounts API. Creates a Static Account for the GCP Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "gcp.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretStaticAccount", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpec, default is Undefined, required + spec + status : GcpVaultUpboundIoV1alpha1SecretStaticAccountStatus, default is Undefined, optional + status + """ + + + apiVersion: "gcp.vault.upbound.io/v1alpha1" = "gcp.vault.upbound.io/v1alpha1" + + kind: "SecretStaticAccount" = "SecretStaticAccount" + + metadata?: v1.ObjectMeta + + spec: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpec + + status?: GcpVaultUpboundIoV1alpha1SecretStaticAccountStatus + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpec: + r""" + SecretStaticAccountSpec defines the desired state of SecretStaticAccount + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecForProvider, default is Undefined, required + for provider + initProvider : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecForProvider + + initProvider?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderConfigRef + + providerRef?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderRef + + publishConnectionDetailsTo?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecWriteConnectionSecretToRef + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecForProvider: + r""" + gcp vault upbound io v1alpha1 secret static account spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + binding : [GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecForProviderBindingItems0], default is Undefined, optional + Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + secretType : str, default is Undefined, optional + Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token. Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` + serviceAccountEmail : str, default is Undefined, optional + Email of the GCP service account to manage. Email of the GCP service account. + staticAccount : str, default is Undefined, optional + Name of the Static Account to create Name of the Static Account to create + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) + """ + + + backend?: str + + binding?: [GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecForProviderBindingItems0] + + namespace?: str + + secretType?: str + + serviceAccountEmail?: str + + staticAccount?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecForProviderBindingItems0: + r""" + gcp vault upbound io v1alpha1 secret static account spec for provider binding items0 + + Attributes + ---------- + resource : str, default is Undefined, optional + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. Resource name + roles : [str], default is Undefined, optional + List of GCP IAM roles for the resource. List of roles to apply to the resource + """ + + + resource?: str + + roles?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + binding : [GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecInitProviderBindingItems0], default is Undefined, optional + Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + secretType : str, default is Undefined, optional + Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token. Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` + serviceAccountEmail : str, default is Undefined, optional + Email of the GCP service account to manage. Email of the GCP service account. + staticAccount : str, default is Undefined, optional + Name of the Static Account to create Name of the Static Account to create + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) + """ + + + backend?: str + + binding?: [GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecInitProviderBindingItems0] + + namespace?: str + + secretType?: str + + serviceAccountEmail?: str + + staticAccount?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecInitProviderBindingItems0: + r""" + gcp vault upbound io v1alpha1 secret static account spec init provider binding items0 + + Attributes + ---------- + resource : str, default is Undefined, optional + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. Resource name + roles : [str], default is Undefined, optional + List of GCP IAM roles for the resource. List of roles to apply to the resource + """ + + + resource?: str + + roles?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToConfigRef + + metadata?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountStatus: + r""" + SecretStaticAccountStatus defines the observed state of SecretStaticAccount. + + Attributes + ---------- + atProvider : GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusAtProvider, default is Undefined, optional + at provider + conditions : [GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusAtProvider + + conditions?: [GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusConditionsItems0] + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusAtProvider: + r""" + gcp vault upbound io v1alpha1 secret static account status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the GCP Secrets Engine is mounted Path where the GCP secrets engine is mounted. + binding : [GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusAtProviderBindingItems0], default is Undefined, optional + Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + secretType : str, default is Undefined, optional + Type of secret generated for this static account. Accepted values: access_token, service_account_key. Defaults to access_token. Type of secret generated for this static account. Defaults to `access_token`. Accepted values: `access_token`, `service_account_key` + serviceAccountEmail : str, default is Undefined, optional + Email of the GCP service account to manage. Email of the GCP service account. + serviceAccountProject : str, default is Undefined, optional + Project the service account belongs to. Project of the GCP Service Account managed by this static account + staticAccount : str, default is Undefined, optional + Name of the Static Account to create Name of the Static Account to create + tokenScopes : [str], default is Undefined, optional + List of OAuth scopes to assign to access_token secrets generated under this static account (access_token static accounts only). List of OAuth scopes to assign to `access_token` secrets generated under this static account (`access_token` static accounts only) + """ + + + backend?: str + + binding?: [GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusAtProviderBindingItems0] + + id?: str + + namespace?: str + + secretType?: str + + serviceAccountEmail?: str + + serviceAccountProject?: str + + staticAccount?: str + + tokenScopes?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusAtProviderBindingItems0: + r""" + gcp vault upbound io v1alpha1 secret static account status at provider binding items0 + + Attributes + ---------- + resource : str, default is Undefined, optional + Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats. Resource name + roles : [str], default is Undefined, optional + List of GCP IAM roles for the resource. List of roles to apply to the resource + """ + + + resource?: str + + roles?: [str] + + +schema GcpVaultUpboundIoV1alpha1SecretStaticAccountStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/generic/v1alpha1/generic_vault_upbound_io_v1alpha1_endpoint.k b/crossplane-provider-vault/generic/v1alpha1/generic_vault_upbound_io_v1alpha1_endpoint.k new file mode 100644 index 00000000..e5d4879c --- /dev/null +++ b/crossplane-provider-vault/generic/v1alpha1/generic_vault_upbound_io_v1alpha1_endpoint.k @@ -0,0 +1,437 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Endpoint: + r""" + Endpoint is the Schema for the Endpoints API. Writes arbitrary data to a given path in Vault + + Attributes + ---------- + apiVersion : str, default is "generic.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Endpoint", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GenericVaultUpboundIoV1alpha1EndpointSpec, default is Undefined, required + spec + status : GenericVaultUpboundIoV1alpha1EndpointStatus, default is Undefined, optional + status + """ + + + apiVersion: "generic.vault.upbound.io/v1alpha1" = "generic.vault.upbound.io/v1alpha1" + + kind: "Endpoint" = "Endpoint" + + metadata?: v1.ObjectMeta + + spec: GenericVaultUpboundIoV1alpha1EndpointSpec + + status?: GenericVaultUpboundIoV1alpha1EndpointStatus + + +schema GenericVaultUpboundIoV1alpha1EndpointSpec: + r""" + EndpointSpec defines the desired state of Endpoint + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GenericVaultUpboundIoV1alpha1EndpointSpecForProvider, default is Undefined, required + for provider + initProvider : GenericVaultUpboundIoV1alpha1EndpointSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GenericVaultUpboundIoV1alpha1EndpointSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GenericVaultUpboundIoV1alpha1EndpointSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GenericVaultUpboundIoV1alpha1EndpointSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GenericVaultUpboundIoV1alpha1EndpointSpecForProvider + + initProvider?: GenericVaultUpboundIoV1alpha1EndpointSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GenericVaultUpboundIoV1alpha1EndpointSpecProviderConfigRef + + providerRef?: GenericVaultUpboundIoV1alpha1EndpointSpecProviderRef + + publishConnectionDetailsTo?: GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GenericVaultUpboundIoV1alpha1EndpointSpecWriteConnectionSecretToRef + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecForProvider: + r""" + generic vault upbound io v1alpha1 endpoint spec for provider + + Attributes + ---------- + dataJsonSecretRef : GenericVaultUpboundIoV1alpha1EndpointSpecForProviderDataJSONSecretRef, default is Undefined, optional + data Json secret ref + disableDelete : bool, default is Undefined, optional + True/false. Set this to true if your vault authentication is not able to delete the data or if the endpoint does not support the DELETE method. Defaults to false. Don't attempt to delete the path from Vault if true + disableRead : bool, default is Undefined, optional + True/false. Set this to true if your vault authentication is not able to read the data or if the endpoint does not support the GET method. Setting this to true will break drift detection. You should set this to true for endpoints that are write-only. Defaults to false. Don't attempt to read the path from Vault if true; drift won't be detected + ignoreAbsentFields : bool, default is Undefined, optional + True/false. If set to true, ignore any fields present when the endpoint is read but that were not in data_json. Also, if a field that was written is not returned when the endpoint is read, treat that field as being up to date. You should set this to true when writing to endpoint that, when read, returns a different set of fields from the ones you wrote, as is common with many configuration endpoints. Defaults to false. When reading, disregard fields not present in data_json + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The full logical path at which to write the given data. Consult each backend's documentation to see which endpoints support the PUT methods and to determine whether they also support DELETE and GET. Full path where to the endpoint that will be written + writeFields : [str], default is Undefined, optional + . A list of fields that should be returned in write_data_json and write_data. If omitted, data returned by the write operation is not available to the resource or included in state. This helps to avoid accidental storage of sensitive values in state. Some endpoints, such as many dynamic secrets endpoints, return data from writing to an endpoint rather than reading it. You should use write_fields if you need information returned in this way. Top-level fields returned by write to persist in state + """ + + + dataJsonSecretRef?: GenericVaultUpboundIoV1alpha1EndpointSpecForProviderDataJSONSecretRef + + disableDelete?: bool + + disableRead?: bool + + ignoreAbsentFields?: bool + + namespace?: str + + path?: str + + writeFields?: [str] + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecForProviderDataJSONSecretRef: + r""" + String containing a JSON-encoded object that will be written to the given path as the secret data. JSON-encoded data to write. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + disableDelete : bool, default is Undefined, optional + True/false. Set this to true if your vault authentication is not able to delete the data or if the endpoint does not support the DELETE method. Defaults to false. Don't attempt to delete the path from Vault if true + disableRead : bool, default is Undefined, optional + True/false. Set this to true if your vault authentication is not able to read the data or if the endpoint does not support the GET method. Setting this to true will break drift detection. You should set this to true for endpoints that are write-only. Defaults to false. Don't attempt to read the path from Vault if true; drift won't be detected + ignoreAbsentFields : bool, default is Undefined, optional + True/false. If set to true, ignore any fields present when the endpoint is read but that were not in data_json. Also, if a field that was written is not returned when the endpoint is read, treat that field as being up to date. You should set this to true when writing to endpoint that, when read, returns a different set of fields from the ones you wrote, as is common with many configuration endpoints. Defaults to false. When reading, disregard fields not present in data_json + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The full logical path at which to write the given data. Consult each backend's documentation to see which endpoints support the PUT methods and to determine whether they also support DELETE and GET. Full path where to the endpoint that will be written + writeFields : [str], default is Undefined, optional + . A list of fields that should be returned in write_data_json and write_data. If omitted, data returned by the write operation is not available to the resource or included in state. This helps to avoid accidental storage of sensitive values in state. Some endpoints, such as many dynamic secrets endpoints, return data from writing to an endpoint rather than reading it. You should use write_fields if you need information returned in this way. Top-level fields returned by write to persist in state + """ + + + disableDelete?: bool + + disableRead?: bool + + ignoreAbsentFields?: bool + + namespace?: str + + path?: str + + writeFields?: [str] + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GenericVaultUpboundIoV1alpha1EndpointSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GenericVaultUpboundIoV1alpha1EndpointSpecProviderConfigRefPolicy + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GenericVaultUpboundIoV1alpha1EndpointSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GenericVaultUpboundIoV1alpha1EndpointSpecProviderRefPolicy + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToConfigRef + + metadata?: GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GenericVaultUpboundIoV1alpha1EndpointSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GenericVaultUpboundIoV1alpha1EndpointStatus: + r""" + EndpointStatus defines the observed state of Endpoint. + + Attributes + ---------- + atProvider : GenericVaultUpboundIoV1alpha1EndpointStatusAtProvider, default is Undefined, optional + at provider + conditions : [GenericVaultUpboundIoV1alpha1EndpointStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GenericVaultUpboundIoV1alpha1EndpointStatusAtProvider + + conditions?: [GenericVaultUpboundIoV1alpha1EndpointStatusConditionsItems0] + + +schema GenericVaultUpboundIoV1alpha1EndpointStatusAtProvider: + r""" + generic vault upbound io v1alpha1 endpoint status at provider + + Attributes + ---------- + disableDelete : bool, default is Undefined, optional + True/false. Set this to true if your vault authentication is not able to delete the data or if the endpoint does not support the DELETE method. Defaults to false. Don't attempt to delete the path from Vault if true + disableRead : bool, default is Undefined, optional + True/false. Set this to true if your vault authentication is not able to read the data or if the endpoint does not support the GET method. Setting this to true will break drift detection. You should set this to true for endpoints that are write-only. Defaults to false. Don't attempt to read the path from Vault if true; drift won't be detected + id : str, default is Undefined, optional + id + ignoreAbsentFields : bool, default is Undefined, optional + True/false. If set to true, ignore any fields present when the endpoint is read but that were not in data_json. Also, if a field that was written is not returned when the endpoint is read, treat that field as being up to date. You should set this to true when writing to endpoint that, when read, returns a different set of fields from the ones you wrote, as is common with many configuration endpoints. Defaults to false. When reading, disregard fields not present in data_json + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The full logical path at which to write the given data. Consult each backend's documentation to see which endpoints support the PUT methods and to determine whether they also support DELETE and GET. Full path where to the endpoint that will be written + writeData : {str:str}, default is Undefined, optional + A map whose keys are the top-level data keys returned from Vault by the write operation and whose values are the corresponding values. This map can only represent string data, so any non-string values returned from Vault are serialized as JSON. Only fields set in write_fields are present in the JSON data. Map of strings returned by write operation + writeDataJson : str, default is Undefined, optional + The JSON data returned by the write operation. Only fields set in write_fields are present in the JSON data. JSON data returned by write operation + writeFields : [str], default is Undefined, optional + . A list of fields that should be returned in write_data_json and write_data. If omitted, data returned by the write operation is not available to the resource or included in state. This helps to avoid accidental storage of sensitive values in state. Some endpoints, such as many dynamic secrets endpoints, return data from writing to an endpoint rather than reading it. You should use write_fields if you need information returned in this way. Top-level fields returned by write to persist in state + """ + + + disableDelete?: bool + + disableRead?: bool + + id?: str + + ignoreAbsentFields?: bool + + namespace?: str + + path?: str + + writeData?: {str:str} + + writeDataJson?: str + + writeFields?: [str] + + +schema GenericVaultUpboundIoV1alpha1EndpointStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/generic/v1alpha1/generic_vault_upbound_io_v1alpha1_secret.k b/crossplane-provider-vault/generic/v1alpha1/generic_vault_upbound_io_v1alpha1_secret.k new file mode 100644 index 00000000..ccba2aed --- /dev/null +++ b/crossplane-provider-vault/generic/v1alpha1/generic_vault_upbound_io_v1alpha1_secret.k @@ -0,0 +1,405 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Secret: + r""" + Secret is the Schema for the Secrets API. Writes arbitrary data to a given path in Vault + + Attributes + ---------- + apiVersion : str, default is "generic.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Secret", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GenericVaultUpboundIoV1alpha1SecretSpec, default is Undefined, required + spec + status : GenericVaultUpboundIoV1alpha1SecretStatus, default is Undefined, optional + status + """ + + + apiVersion: "generic.vault.upbound.io/v1alpha1" = "generic.vault.upbound.io/v1alpha1" + + kind: "Secret" = "Secret" + + metadata?: v1.ObjectMeta + + spec: GenericVaultUpboundIoV1alpha1SecretSpec + + status?: GenericVaultUpboundIoV1alpha1SecretStatus + + +schema GenericVaultUpboundIoV1alpha1SecretSpec: + r""" + SecretSpec defines the desired state of Secret + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GenericVaultUpboundIoV1alpha1SecretSpecForProvider, default is Undefined, required + for provider + initProvider : GenericVaultUpboundIoV1alpha1SecretSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GenericVaultUpboundIoV1alpha1SecretSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GenericVaultUpboundIoV1alpha1SecretSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GenericVaultUpboundIoV1alpha1SecretSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GenericVaultUpboundIoV1alpha1SecretSpecForProvider + + initProvider?: GenericVaultUpboundIoV1alpha1SecretSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GenericVaultUpboundIoV1alpha1SecretSpecProviderConfigRef + + providerRef?: GenericVaultUpboundIoV1alpha1SecretSpecProviderRef + + publishConnectionDetailsTo?: GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GenericVaultUpboundIoV1alpha1SecretSpecWriteConnectionSecretToRef + + +schema GenericVaultUpboundIoV1alpha1SecretSpecForProvider: + r""" + generic vault upbound io v1alpha1 secret spec for provider + + Attributes + ---------- + dataJsonSecretRef : GenericVaultUpboundIoV1alpha1SecretSpecForProviderDataJSONSecretRef, default is Undefined, optional + data Json secret ref + deleteAllVersions : bool, default is Undefined, optional + true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret. Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key. + disableRead : bool, default is Undefined, optional + true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false. Don't attempt to read the token from Vault if true; drift won't be detected. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods. Full path where the generic secret will be written. + """ + + + dataJsonSecretRef?: GenericVaultUpboundIoV1alpha1SecretSpecForProviderDataJSONSecretRef + + deleteAllVersions?: bool + + disableRead?: bool + + namespace?: str + + path?: str + + +schema GenericVaultUpboundIoV1alpha1SecretSpecForProviderDataJSONSecretRef: + r""" + String containing a JSON-encoded object that will be written as the secret data at the given path. JSON-encoded secret data to write. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema GenericVaultUpboundIoV1alpha1SecretSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + deleteAllVersions : bool, default is Undefined, optional + true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret. Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key. + disableRead : bool, default is Undefined, optional + true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false. Don't attempt to read the token from Vault if true; drift won't be detected. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods. Full path where the generic secret will be written. + """ + + + deleteAllVersions?: bool + + disableRead?: bool + + namespace?: str + + path?: str + + +schema GenericVaultUpboundIoV1alpha1SecretSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GenericVaultUpboundIoV1alpha1SecretSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GenericVaultUpboundIoV1alpha1SecretSpecProviderConfigRefPolicy + + +schema GenericVaultUpboundIoV1alpha1SecretSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GenericVaultUpboundIoV1alpha1SecretSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GenericVaultUpboundIoV1alpha1SecretSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GenericVaultUpboundIoV1alpha1SecretSpecProviderRefPolicy + + +schema GenericVaultUpboundIoV1alpha1SecretSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRef + + metadata?: GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GenericVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GenericVaultUpboundIoV1alpha1SecretSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GenericVaultUpboundIoV1alpha1SecretStatus: + r""" + SecretStatus defines the observed state of Secret. + + Attributes + ---------- + atProvider : GenericVaultUpboundIoV1alpha1SecretStatusAtProvider, default is Undefined, optional + at provider + conditions : [GenericVaultUpboundIoV1alpha1SecretStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GenericVaultUpboundIoV1alpha1SecretStatusAtProvider + + conditions?: [GenericVaultUpboundIoV1alpha1SecretStatusConditionsItems0] + + +schema GenericVaultUpboundIoV1alpha1SecretStatusAtProvider: + r""" + generic vault upbound io v1alpha1 secret status at provider + + Attributes + ---------- + deleteAllVersions : bool, default is Undefined, optional + true/false. Only applicable for kv-v2 stores. If set to true, permanently deletes all versions for the specified key. The default behavior is to only delete the latest version of the secret. Only applicable for kv-v2 stores. If set, permanently deletes all versions for the specified key. + disableRead : bool, default is Undefined, optional + true/false. Set this to true if your vault authentication is not able to read the data. Setting this to true will break drift detection. Defaults to false. Don't attempt to read the token from Vault if true; drift won't be detected. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The full logical path at which to write the given data. To write data into the "generic" secret backend mounted in Vault by default, this should be prefixed with secret/. Writing to other backends with this resource is possible; consult each backend's documentation to see which endpoints support the PUT and DELETE methods. Full path where the generic secret will be written. + """ + + + deleteAllVersions?: bool + + disableRead?: bool + + id?: str + + namespace?: str + + path?: str + + +schema GenericVaultUpboundIoV1alpha1SecretStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_auth_backend.k b/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_auth_backend.k new file mode 100644 index 00000000..2065ac5a --- /dev/null +++ b/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_auth_backend.k @@ -0,0 +1,665 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackend: + r""" + AuthBackend is the Schema for the AuthBackends API. Manages GitHub Auth mounts in Vault. + + Attributes + ---------- + apiVersion : str, default is "github.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GithubVaultUpboundIoV1alpha1AuthBackendSpec, default is Undefined, required + spec + status : GithubVaultUpboundIoV1alpha1AuthBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "github.vault.upbound.io/v1alpha1" = "github.vault.upbound.io/v1alpha1" + + kind: "AuthBackend" = "AuthBackend" + + metadata?: v1.ObjectMeta + + spec: GithubVaultUpboundIoV1alpha1AuthBackendSpec + + status?: GithubVaultUpboundIoV1alpha1AuthBackendStatus + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpec: + r""" + AuthBackendSpec defines the desired state of AuthBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GithubVaultUpboundIoV1alpha1AuthBackendSpecForProvider, default is Undefined, required + for provider + initProvider : GithubVaultUpboundIoV1alpha1AuthBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GithubVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GithubVaultUpboundIoV1alpha1AuthBackendSpecForProvider + + initProvider?: GithubVaultUpboundIoV1alpha1AuthBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef + + providerRef?: GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderRef + + publishConnectionDetailsTo?: GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GithubVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecForProvider: + r""" + github vault upbound io v1alpha1 auth backend spec for provider + + Attributes + ---------- + baseUrl : str, default is Undefined, optional + The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. + description : str, default is Undefined, optional + Specifies the description of the mount. This overrides the current stored value, if any. Specifies the description of the mount. This overrides the current stored value, if any. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization configured users must be part of. The organization users must be part of. + organizationId : float, default is Undefined, optional + The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+) The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+) + path : str, default is Undefined, optional + Path where the auth backend is mounted. Defaults to auth/github if not specified. Path where the auth backend is mounted + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + tune : [GithubVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0], default is Undefined, optional + Extra configuration block. Structure is documented below. + """ + + + baseUrl?: str + + description?: str + + disableRemount?: bool + + namespace?: str + + organization?: str + + organizationId?: float + + path?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + tune?: [GithubVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0] + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0: + r""" + github vault upbound io v1alpha1 auth backend spec for provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + List of headers to whitelist and allowing a plugin to include them in the response. + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtl : str, default is Undefined, optional + Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string + listingVisibility : str, default is Undefined, optional + Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden". + maxLeaseTtl : str, default is Undefined, optional + Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string + passthroughRequestHeaders : [str], default is Undefined, optional + List of headers to whitelist and pass from the request to the backend. + tokenType : str, default is Undefined, optional + Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch". + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + baseUrl : str, default is Undefined, optional + The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. + description : str, default is Undefined, optional + Specifies the description of the mount. This overrides the current stored value, if any. Specifies the description of the mount. This overrides the current stored value, if any. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization configured users must be part of. The organization users must be part of. + organizationId : float, default is Undefined, optional + The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+) The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+) + path : str, default is Undefined, optional + Path where the auth backend is mounted. Defaults to auth/github if not specified. Path where the auth backend is mounted + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + tune : [GithubVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0], default is Undefined, optional + Extra configuration block. Structure is documented below. + """ + + + baseUrl?: str + + description?: str + + disableRemount?: bool + + namespace?: str + + organization?: str + + organizationId?: float + + path?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + tune?: [GithubVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0] + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0: + r""" + github vault upbound io v1alpha1 auth backend spec init provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + List of headers to whitelist and allowing a plugin to include them in the response. + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtl : str, default is Undefined, optional + Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string + listingVisibility : str, default is Undefined, optional + Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden". + maxLeaseTtl : str, default is Undefined, optional + Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string + passthroughRequestHeaders : [str], default is Undefined, optional + List of headers to whitelist and pass from the request to the backend. + tokenType : str, default is Undefined, optional + Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch". + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GithubVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GithubVaultUpboundIoV1alpha1AuthBackendStatus: + r""" + AuthBackendStatus defines the observed state of AuthBackend. + + Attributes + ---------- + atProvider : GithubVaultUpboundIoV1alpha1AuthBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [GithubVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GithubVaultUpboundIoV1alpha1AuthBackendStatusAtProvider + + conditions?: [GithubVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0] + + +schema GithubVaultUpboundIoV1alpha1AuthBackendStatusAtProvider: + r""" + github vault upbound io v1alpha1 auth backend status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine. The mount accessor related to the auth mount. + baseUrl : str, default is Undefined, optional + The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server. + description : str, default is Undefined, optional + Specifies the description of the mount. This overrides the current stored value, if any. Specifies the description of the mount. This overrides the current stored value, if any. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization configured users must be part of. The organization users must be part of. + organizationId : float, default is Undefined, optional + The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided. (Vault 1.10+) The ID of the organization users must be part of. Vault will attempt to fetch and set this value if it is not provided (vault-1.10+) + path : str, default is Undefined, optional + Path where the auth backend is mounted. Defaults to auth/github if not specified. Path where the auth backend is mounted + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + tune : [GithubVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0], default is Undefined, optional + Extra configuration block. Structure is documented below. + """ + + + accessor?: str + + baseUrl?: str + + description?: str + + disableRemount?: bool + + id?: str + + namespace?: str + + organization?: str + + organizationId?: float + + path?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + tune?: [GithubVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0] + + +schema GithubVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0: + r""" + github vault upbound io v1alpha1 auth backend status at provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + List of headers to whitelist and allowing a plugin to include them in the response. + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtl : str, default is Undefined, optional + Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string + listingVisibility : str, default is Undefined, optional + Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden". + maxLeaseTtl : str, default is Undefined, optional + Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string + passthroughRequestHeaders : [str], default is Undefined, optional + List of headers to whitelist and pass from the request to the backend. + tokenType : str, default is Undefined, optional + Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch". + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema GithubVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_team.k b/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_team.k new file mode 100644 index 00000000..6df98dc8 --- /dev/null +++ b/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_team.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Team: + r""" + Team is the Schema for the Teams API. Manages Team mappings for Github Auth backend mounts in Vault. + + Attributes + ---------- + apiVersion : str, default is "github.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Team", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GithubVaultUpboundIoV1alpha1TeamSpec, default is Undefined, required + spec + status : GithubVaultUpboundIoV1alpha1TeamStatus, default is Undefined, optional + status + """ + + + apiVersion: "github.vault.upbound.io/v1alpha1" = "github.vault.upbound.io/v1alpha1" + + kind: "Team" = "Team" + + metadata?: v1.ObjectMeta + + spec: GithubVaultUpboundIoV1alpha1TeamSpec + + status?: GithubVaultUpboundIoV1alpha1TeamStatus + + +schema GithubVaultUpboundIoV1alpha1TeamSpec: + r""" + TeamSpec defines the desired state of Team + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GithubVaultUpboundIoV1alpha1TeamSpecForProvider, default is Undefined, required + for provider + initProvider : GithubVaultUpboundIoV1alpha1TeamSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GithubVaultUpboundIoV1alpha1TeamSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GithubVaultUpboundIoV1alpha1TeamSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GithubVaultUpboundIoV1alpha1TeamSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GithubVaultUpboundIoV1alpha1TeamSpecForProvider + + initProvider?: GithubVaultUpboundIoV1alpha1TeamSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GithubVaultUpboundIoV1alpha1TeamSpecProviderConfigRef + + providerRef?: GithubVaultUpboundIoV1alpha1TeamSpecProviderRef + + publishConnectionDetailsTo?: GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GithubVaultUpboundIoV1alpha1TeamSpecWriteConnectionSecretToRef + + +schema GithubVaultUpboundIoV1alpha1TeamSpecForProvider: + r""" + github vault upbound io v1alpha1 team spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which team mapping will be configured. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + An array of strings specifying the policies to be set on tokens issued using this role. Policies to be assigned to this team. + team : str, default is Undefined, optional + GitHub team name in "slugified" format. + """ + + + backend?: str + + namespace?: str + + policies?: [str] + + team?: str + + +schema GithubVaultUpboundIoV1alpha1TeamSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which team mapping will be configured. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + An array of strings specifying the policies to be set on tokens issued using this role. Policies to be assigned to this team. + team : str, default is Undefined, optional + GitHub team name in "slugified" format. + """ + + + backend?: str + + namespace?: str + + policies?: [str] + + team?: str + + +schema GithubVaultUpboundIoV1alpha1TeamSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1TeamSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1TeamSpecProviderConfigRefPolicy + + +schema GithubVaultUpboundIoV1alpha1TeamSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1TeamSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1TeamSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1TeamSpecProviderRefPolicy + + +schema GithubVaultUpboundIoV1alpha1TeamSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToConfigRef + + metadata?: GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1TeamSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GithubVaultUpboundIoV1alpha1TeamSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GithubVaultUpboundIoV1alpha1TeamStatus: + r""" + TeamStatus defines the observed state of Team. + + Attributes + ---------- + atProvider : GithubVaultUpboundIoV1alpha1TeamStatusAtProvider, default is Undefined, optional + at provider + conditions : [GithubVaultUpboundIoV1alpha1TeamStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GithubVaultUpboundIoV1alpha1TeamStatusAtProvider + + conditions?: [GithubVaultUpboundIoV1alpha1TeamStatusConditionsItems0] + + +schema GithubVaultUpboundIoV1alpha1TeamStatusAtProvider: + r""" + github vault upbound io v1alpha1 team status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which team mapping will be configured. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + An array of strings specifying the policies to be set on tokens issued using this role. Policies to be assigned to this team. + team : str, default is Undefined, optional + GitHub team name in "slugified" format. + """ + + + backend?: str + + id?: str + + namespace?: str + + policies?: [str] + + team?: str + + +schema GithubVaultUpboundIoV1alpha1TeamStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_user.k b/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_user.k new file mode 100644 index 00000000..b2c0dc0f --- /dev/null +++ b/crossplane-provider-vault/github/v1alpha1/github_vault_upbound_io_v1alpha1_user.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema User: + r""" + User is the Schema for the Users API. Manages User mappings for Github Auth backend mounts in Vault. + + Attributes + ---------- + apiVersion : str, default is "github.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "User", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : GithubVaultUpboundIoV1alpha1UserSpec, default is Undefined, required + spec + status : GithubVaultUpboundIoV1alpha1UserStatus, default is Undefined, optional + status + """ + + + apiVersion: "github.vault.upbound.io/v1alpha1" = "github.vault.upbound.io/v1alpha1" + + kind: "User" = "User" + + metadata?: v1.ObjectMeta + + spec: GithubVaultUpboundIoV1alpha1UserSpec + + status?: GithubVaultUpboundIoV1alpha1UserStatus + + +schema GithubVaultUpboundIoV1alpha1UserSpec: + r""" + UserSpec defines the desired state of User + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : GithubVaultUpboundIoV1alpha1UserSpecForProvider, default is Undefined, required + for provider + initProvider : GithubVaultUpboundIoV1alpha1UserSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : GithubVaultUpboundIoV1alpha1UserSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : GithubVaultUpboundIoV1alpha1UserSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : GithubVaultUpboundIoV1alpha1UserSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: GithubVaultUpboundIoV1alpha1UserSpecForProvider + + initProvider?: GithubVaultUpboundIoV1alpha1UserSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: GithubVaultUpboundIoV1alpha1UserSpecProviderConfigRef + + providerRef?: GithubVaultUpboundIoV1alpha1UserSpecProviderRef + + publishConnectionDetailsTo?: GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: GithubVaultUpboundIoV1alpha1UserSpecWriteConnectionSecretToRef + + +schema GithubVaultUpboundIoV1alpha1UserSpecForProvider: + r""" + github vault upbound io v1alpha1 user spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which user mapping will be congigured. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + An array of strings specifying the policies to be set on tokens issued using this role. Policies to be assigned to this user. + user : str, default is Undefined, optional + GitHub user name. GitHub user name. + """ + + + backend?: str + + namespace?: str + + policies?: [str] + + user?: str + + +schema GithubVaultUpboundIoV1alpha1UserSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which user mapping will be congigured. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + An array of strings specifying the policies to be set on tokens issued using this role. Policies to be assigned to this user. + user : str, default is Undefined, optional + GitHub user name. GitHub user name. + """ + + + backend?: str + + namespace?: str + + policies?: [str] + + user?: str + + +schema GithubVaultUpboundIoV1alpha1UserSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1UserSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1UserSpecProviderConfigRefPolicy + + +schema GithubVaultUpboundIoV1alpha1UserSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1UserSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1UserSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1UserSpecProviderRefPolicy + + +schema GithubVaultUpboundIoV1alpha1UserSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToConfigRef + + metadata?: GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToMetadata + + name: str + + +schema GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToConfigRefPolicy + + +schema GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema GithubVaultUpboundIoV1alpha1UserSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema GithubVaultUpboundIoV1alpha1UserSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema GithubVaultUpboundIoV1alpha1UserStatus: + r""" + UserStatus defines the observed state of User. + + Attributes + ---------- + atProvider : GithubVaultUpboundIoV1alpha1UserStatusAtProvider, default is Undefined, optional + at provider + conditions : [GithubVaultUpboundIoV1alpha1UserStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: GithubVaultUpboundIoV1alpha1UserStatusAtProvider + + conditions?: [GithubVaultUpboundIoV1alpha1UserStatusConditionsItems0] + + +schema GithubVaultUpboundIoV1alpha1UserStatusAtProvider: + r""" + github vault upbound io v1alpha1 user status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Path where the github auth backend is mounted. Defaults to github if not specified. Auth backend to which user mapping will be congigured. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + An array of strings specifying the policies to be set on tokens issued using this role. Policies to be assigned to this user. + user : str, default is Undefined, optional + GitHub user name. GitHub user name. + """ + + + backend?: str + + id?: str + + namespace?: str + + policies?: [str] + + user?: str + + +schema GithubVaultUpboundIoV1alpha1UserStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity.k new file mode 100644 index 00000000..5c2658a9 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity.k @@ -0,0 +1,403 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Entity: + r""" + Entity is the Schema for the Entitys API. Creates an Identity Entity for Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Entity", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1EntitySpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1EntityStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "Entity" = "Entity" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1EntitySpec + + status?: IdentityVaultUpboundIoV1alpha1EntityStatus + + +schema IdentityVaultUpboundIoV1alpha1EntitySpec: + r""" + EntitySpec defines the desired state of Entity + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1EntitySpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1EntitySpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1EntitySpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1EntitySpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1EntitySpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1EntitySpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1EntitySpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1EntitySpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1EntitySpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1EntitySpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecForProvider: + r""" + identity vault upbound io v1alpha1 entity spec for provider + + Attributes + ---------- + disabled : bool, default is Undefined, optional + True/false Is this entity currently disabled. Defaults to false Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked. + externalPolicies : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner. Manage policies externally through `vault_identity_entity_policies`. + metadata : {str:str}, default is Undefined, optional + A Map of additional metadata to associate with the user. Metadata to be associated with the entity. + name : str, default is Undefined, optional + Name of the identity entity to create. Name of the entity. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + A list of policies to apply to the entity. Policies to be tied to the entity. + """ + + + disabled?: bool + + externalPolicies?: bool + + metadata?: {str:str} + + name?: str + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + disabled : bool, default is Undefined, optional + True/false Is this entity currently disabled. Defaults to false Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked. + externalPolicies : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner. Manage policies externally through `vault_identity_entity_policies`. + metadata : {str:str}, default is Undefined, optional + A Map of additional metadata to associate with the user. Metadata to be associated with the entity. + name : str, default is Undefined, optional + Name of the identity entity to create. Name of the entity. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + A list of policies to apply to the entity. Policies to be tied to the entity. + """ + + + disabled?: bool + + externalPolicies?: bool + + metadata?: {str:str} + + name?: str + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntitySpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntitySpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntitySpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntitySpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1EntitySpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1EntityStatus: + r""" + EntityStatus defines the observed state of Entity. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1EntityStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1EntityStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1EntityStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1EntityStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1EntityStatusAtProvider: + r""" + identity vault upbound io v1alpha1 entity status at provider + + Attributes + ---------- + disabled : bool, default is Undefined, optional + True/false Is this entity currently disabled. Defaults to false Whether the entity is disabled. Disabled entities' associated tokens cannot be used, but are not revoked. + externalPolicies : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault_identity_entity_policies to manage policies for this entity in a decoupled manner. Manage policies externally through `vault_identity_entity_policies`. + id : str, default is Undefined, optional + The id of the created entity. + metadata : {str:str}, default is Undefined, optional + A Map of additional metadata to associate with the user. Metadata to be associated with the entity. + name : str, default is Undefined, optional + Name of the identity entity to create. Name of the entity. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + A list of policies to apply to the entity. Policies to be tied to the entity. + """ + + + disabled?: bool + + externalPolicies?: bool + + id?: str + + metadata?: {str:str} + + name?: str + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1EntityStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity_alias.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity_alias.k new file mode 100644 index 00000000..f51a96d3 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity_alias.k @@ -0,0 +1,391 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema EntityAlias: + r""" + EntityAlias is the Schema for the EntityAliass API. Creates an Identity Entity Alias for Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "EntityAlias", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1EntityAliasSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1EntityAliasStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "EntityAlias" = "EntityAlias" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1EntityAliasSpec + + status?: IdentityVaultUpboundIoV1alpha1EntityAliasStatus + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpec: + r""" + EntityAliasSpec defines the desired state of EntityAlias + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1EntityAliasSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1EntityAliasSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1EntityAliasSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1EntityAliasSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecForProvider: + r""" + identity vault upbound io v1alpha1 entity alias spec for provider + + Attributes + ---------- + canonicalId : str, default is Undefined, optional + Entity ID to which this alias belongs to. ID of the entity to which this is an alias. + customMetadata : {str:str}, default is Undefined, optional + Custom metadata to be associated with this alias. + mountAccessor : str, default is Undefined, optional + Accessor of the mount to which the alias should belong to. Mount accessor to which this alias belongs toMount accessor to which this alias belongs to. + name : str, default is Undefined, optional + Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username. Name of the entity alias. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + canonicalId?: str + + customMetadata?: {str:str} + + mountAccessor?: str + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + canonicalId : str, default is Undefined, optional + Entity ID to which this alias belongs to. ID of the entity to which this is an alias. + customMetadata : {str:str}, default is Undefined, optional + Custom metadata to be associated with this alias. + mountAccessor : str, default is Undefined, optional + Accessor of the mount to which the alias should belong to. Mount accessor to which this alias belongs toMount accessor to which this alias belongs to. + name : str, default is Undefined, optional + Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username. Name of the entity alias. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + canonicalId?: str + + customMetadata?: {str:str} + + mountAccessor?: str + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasStatus: + r""" + EntityAliasStatus defines the observed state of EntityAlias. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1EntityAliasStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1EntityAliasStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1EntityAliasStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1EntityAliasStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasStatusAtProvider: + r""" + identity vault upbound io v1alpha1 entity alias status at provider + + Attributes + ---------- + canonicalId : str, default is Undefined, optional + Entity ID to which this alias belongs to. ID of the entity to which this is an alias. + customMetadata : {str:str}, default is Undefined, optional + Custom metadata to be associated with this alias. + id : str, default is Undefined, optional + ID of the entity alias. + mountAccessor : str, default is Undefined, optional + Accessor of the mount to which the alias should belong to. Mount accessor to which this alias belongs toMount accessor to which this alias belongs to. + name : str, default is Undefined, optional + Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username. Name of the entity alias. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + canonicalId?: str + + customMetadata?: {str:str} + + id?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1EntityAliasStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity_policies.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity_policies.k new file mode 100644 index 00000000..34896c9f --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_entity_policies.k @@ -0,0 +1,383 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema EntityPolicies: + r""" + EntityPolicies is the Schema for the EntityPoliciess API. Manages policies for an Identity Entity for Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "EntityPolicies", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1EntityPoliciesStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "EntityPolicies" = "EntityPolicies" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpec + + status?: IdentityVaultUpboundIoV1alpha1EntityPoliciesStatus + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpec: + r""" + EntityPoliciesSpec defines the desired state of EntityPolicies + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecForProvider: + r""" + identity vault upbound io v1alpha1 entity policies spec for provider + + Attributes + ---------- + entityId : str, default is Undefined, optional + Entity ID to assign policies to. ID of the entity. + exclusive : bool, default is Undefined, optional + Defaults to true. Should the resource manage policies exclusively + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies to assign to the entity Policies to be tied to the entity. + """ + + + entityId?: str + + exclusive?: bool + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + entityId : str, default is Undefined, optional + Entity ID to assign policies to. ID of the entity. + exclusive : bool, default is Undefined, optional + Defaults to true. Should the resource manage policies exclusively + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies to assign to the entity Policies to be tied to the entity. + """ + + + entityId?: str + + exclusive?: bool + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesStatus: + r""" + EntityPoliciesStatus defines the observed state of EntityPolicies. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1EntityPoliciesStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1EntityPoliciesStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1EntityPoliciesStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1EntityPoliciesStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesStatusAtProvider: + r""" + identity vault upbound io v1alpha1 entity policies status at provider + + Attributes + ---------- + entityId : str, default is Undefined, optional + Entity ID to assign policies to. ID of the entity. + entityName : str, default is Undefined, optional + The name of the entity that are assigned the policies. Name of the entity. + exclusive : bool, default is Undefined, optional + Defaults to true. Should the resource manage policies exclusively + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies to assign to the entity Policies to be tied to the entity. + """ + + + entityId?: str + + entityName?: str + + exclusive?: bool + + id?: str + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1EntityPoliciesStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group.k new file mode 100644 index 00000000..d0ebc985 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group.k @@ -0,0 +1,451 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Group: + r""" + Group is the Schema for the Groups API. Creates an Identity Group for Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Group", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1GroupSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1GroupStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "Group" = "Group" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1GroupSpec + + status?: IdentityVaultUpboundIoV1alpha1GroupStatus + + +schema IdentityVaultUpboundIoV1alpha1GroupSpec: + r""" + GroupSpec defines the desired state of Group + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1GroupSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1GroupSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1GroupSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1GroupSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1GroupSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1GroupSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1GroupSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1GroupSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1GroupSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1GroupSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecForProvider: + r""" + identity vault upbound io v1alpha1 group spec for provider + + Attributes + ---------- + externalMemberEntityIds : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any Entity IDs returned from Vault or specified in the resource. You can use vault_identity_group_member_entity_ids to manage Entity IDs for this group in a decoupled manner. Manage member entities externally through `vault_identity_group_member_entity_ids` + externalMemberGroupIds : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any Group IDs returned from Vault or specified in the resource. You can use vault_identity_group_member_group_ids to manage Group IDs for this group in a decoupled manner. Manage member groups externally through `vault_identity_group_member_group_ids` + externalPolicies : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any policies returned from Vault or specified in the resource. You can use vault_identity_group_policies to manage policies for this group in a decoupled manner. Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies. + memberEntityIds : [str], default is Undefined, optional + A list of Entity IDs to be assigned as group members. Not allowed on external groups. Entity IDs to be assigned as group members. + memberGroupIds : [str], default is Undefined, optional + A list of Group IDs to be assigned as group members. Not allowed on external groups. Group IDs to be assigned as group members. + metadata : {str:str}, default is Undefined, optional + A Map of additional metadata to associate with the group. Metadata to be associated with the group. + name : str, default is Undefined, optional + Name of the identity group to create. Name of the group. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + A list of policies to apply to the group. Policies to be tied to the group. + $type : str, default is Undefined, optional + Type of the group, internal or external. Defaults to internal. Type of the group, internal or external. Defaults to internal. + """ + + + externalMemberEntityIds?: bool + + externalMemberGroupIds?: bool + + externalPolicies?: bool + + memberEntityIds?: [str] + + memberGroupIds?: [str] + + metadata?: {str:str} + + name?: str + + namespace?: str + + policies?: [str] + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + externalMemberEntityIds : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any Entity IDs returned from Vault or specified in the resource. You can use vault_identity_group_member_entity_ids to manage Entity IDs for this group in a decoupled manner. Manage member entities externally through `vault_identity_group_member_entity_ids` + externalMemberGroupIds : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any Group IDs returned from Vault or specified in the resource. You can use vault_identity_group_member_group_ids to manage Group IDs for this group in a decoupled manner. Manage member groups externally through `vault_identity_group_member_group_ids` + externalPolicies : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any policies returned from Vault or specified in the resource. You can use vault_identity_group_policies to manage policies for this group in a decoupled manner. Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies. + memberEntityIds : [str], default is Undefined, optional + A list of Entity IDs to be assigned as group members. Not allowed on external groups. Entity IDs to be assigned as group members. + memberGroupIds : [str], default is Undefined, optional + A list of Group IDs to be assigned as group members. Not allowed on external groups. Group IDs to be assigned as group members. + metadata : {str:str}, default is Undefined, optional + A Map of additional metadata to associate with the group. Metadata to be associated with the group. + name : str, default is Undefined, optional + Name of the identity group to create. Name of the group. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + A list of policies to apply to the group. Policies to be tied to the group. + $type : str, default is Undefined, optional + Type of the group, internal or external. Defaults to internal. Type of the group, internal or external. Defaults to internal. + """ + + + externalMemberEntityIds?: bool + + externalMemberGroupIds?: bool + + externalPolicies?: bool + + memberEntityIds?: [str] + + memberGroupIds?: [str] + + metadata?: {str:str} + + name?: str + + namespace?: str + + policies?: [str] + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1GroupStatus: + r""" + GroupStatus defines the observed state of Group. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1GroupStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1GroupStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1GroupStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1GroupStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1GroupStatusAtProvider: + r""" + identity vault upbound io v1alpha1 group status at provider + + Attributes + ---------- + externalMemberEntityIds : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any Entity IDs returned from Vault or specified in the resource. You can use vault_identity_group_member_entity_ids to manage Entity IDs for this group in a decoupled manner. Manage member entities externally through `vault_identity_group_member_entity_ids` + externalMemberGroupIds : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any Group IDs returned from Vault or specified in the resource. You can use vault_identity_group_member_group_ids to manage Group IDs for this group in a decoupled manner. Manage member groups externally through `vault_identity_group_member_group_ids` + externalPolicies : bool, default is Undefined, optional + false by default. If set to true, this resource will ignore any policies returned from Vault or specified in the resource. You can use vault_identity_group_policies to manage policies for this group in a decoupled manner. Manage policies externally through `vault_identity_group_policies`, allows using group ID in assigned policies. + id : str, default is Undefined, optional + The id of the created group. + memberEntityIds : [str], default is Undefined, optional + A list of Entity IDs to be assigned as group members. Not allowed on external groups. Entity IDs to be assigned as group members. + memberGroupIds : [str], default is Undefined, optional + A list of Group IDs to be assigned as group members. Not allowed on external groups. Group IDs to be assigned as group members. + metadata : {str:str}, default is Undefined, optional + A Map of additional metadata to associate with the group. Metadata to be associated with the group. + name : str, default is Undefined, optional + Name of the identity group to create. Name of the group. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + A list of policies to apply to the group. Policies to be tied to the group. + $type : str, default is Undefined, optional + Type of the group, internal or external. Defaults to internal. Type of the group, internal or external. Defaults to internal. + """ + + + externalMemberEntityIds?: bool + + externalMemberGroupIds?: bool + + externalPolicies?: bool + + id?: str + + memberEntityIds?: [str] + + memberGroupIds?: [str] + + metadata?: {str:str} + + name?: str + + namespace?: str + + policies?: [str] + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_alias.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_alias.k new file mode 100644 index 00000000..37d50da9 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_alias.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema GroupAlias: + r""" + GroupAlias is the Schema for the GroupAliass API. Creates an Identity Group Alias for Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "GroupAlias", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1GroupAliasSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1GroupAliasStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "GroupAlias" = "GroupAlias" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1GroupAliasSpec + + status?: IdentityVaultUpboundIoV1alpha1GroupAliasStatus + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpec: + r""" + GroupAliasSpec defines the desired state of GroupAlias + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1GroupAliasSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1GroupAliasSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1GroupAliasSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1GroupAliasSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecForProvider: + r""" + identity vault upbound io v1alpha1 group alias spec for provider + + Attributes + ---------- + canonicalId : str, default is Undefined, optional + ID of the group to which this is an alias. ID of the group to which this is an alias. + mountAccessor : str, default is Undefined, optional + Mount accessor of the authentication backend to which this alias belongs to. Mount accessor to which this alias belongs to. + name : str, default is Undefined, optional + Name of the group alias to create. Name of the group alias. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + canonicalId?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + canonicalId : str, default is Undefined, optional + ID of the group to which this is an alias. ID of the group to which this is an alias. + mountAccessor : str, default is Undefined, optional + Mount accessor of the authentication backend to which this alias belongs to. Mount accessor to which this alias belongs to. + name : str, default is Undefined, optional + Name of the group alias to create. Name of the group alias. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + canonicalId?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasStatus: + r""" + GroupAliasStatus defines the observed state of GroupAlias. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1GroupAliasStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1GroupAliasStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1GroupAliasStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1GroupAliasStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasStatusAtProvider: + r""" + identity vault upbound io v1alpha1 group alias status at provider + + Attributes + ---------- + canonicalId : str, default is Undefined, optional + ID of the group to which this is an alias. ID of the group to which this is an alias. + id : str, default is Undefined, optional + The id of the created group alias. + mountAccessor : str, default is Undefined, optional + Mount accessor of the authentication backend to which this alias belongs to. Mount accessor to which this alias belongs to. + name : str, default is Undefined, optional + Name of the group alias to create. Name of the group alias. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + canonicalId?: str + + id?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupAliasStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_member_entity_ids.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_member_entity_ids.k new file mode 100644 index 00000000..d861cc1a --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_member_entity_ids.k @@ -0,0 +1,383 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema GroupMemberEntityIds: + r""" + GroupMemberEntityIds is the Schema for the GroupMemberEntityIdss API. Manages member entities for an Identity Group for Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "GroupMemberEntityIds", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "GroupMemberEntityIds" = "GroupMemberEntityIds" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpec + + status?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatus + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpec: + r""" + GroupMemberEntityIdsSpec defines the desired state of GroupMemberEntityIds + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecForProvider: + r""" + identity vault upbound io v1alpha1 group member entity ids spec for provider + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. If set to true, allows the resource to manage member entity ids exclusively. Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign member entities to. ID of the group. + memberEntityIds : [str], default is Undefined, optional + List of member entities that belong to the group Entity IDs to be assigned as group members. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + exclusive?: bool + + groupId?: str + + memberEntityIds?: [str] + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. If set to true, allows the resource to manage member entity ids exclusively. Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign member entities to. ID of the group. + memberEntityIds : [str], default is Undefined, optional + List of member entities that belong to the group Entity IDs to be assigned as group members. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + exclusive?: bool + + groupId?: str + + memberEntityIds?: [str] + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatus: + r""" + GroupMemberEntityIdsStatus defines the observed state of GroupMemberEntityIds. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatusAtProvider: + r""" + identity vault upbound io v1alpha1 group member entity ids status at provider + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. If set to true, allows the resource to manage member entity ids exclusively. Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign member entities to. ID of the group. + groupName : str, default is Undefined, optional + The name of the group that are assigned the member entities. Deprecated: The value for group_name may not always be accurate use data.vault_identity_group.*.group_name, or vault_identity_group.*.group_name instead. Name of the group. + id : str, default is Undefined, optional + id + memberEntityIds : [str], default is Undefined, optional + List of member entities that belong to the group Entity IDs to be assigned as group members. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + exclusive?: bool + + groupId?: str + + groupName?: str + + id?: str + + memberEntityIds?: [str] + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberEntityIdsStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_member_group_ids.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_member_group_ids.k new file mode 100644 index 00000000..d7a02d7f --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_member_group_ids.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema GroupMemberGroupIds: + r""" + GroupMemberGroupIds is the Schema for the GroupMemberGroupIdss API. Manages member groups for an Identity Group for Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "GroupMemberGroupIds", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "GroupMemberGroupIds" = "GroupMemberGroupIds" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpec + + status?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatus + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpec: + r""" + GroupMemberGroupIdsSpec defines the desired state of GroupMemberGroupIds + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecForProvider: + r""" + identity vault upbound io v1alpha1 group member group ids spec for provider + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. If set to true, allows the resource to manage member group ids exclusively. Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign member entities to. ID of the group. + memberGroupIds : [str], default is Undefined, optional + List of member groups that belong to the group Group IDs to be assigned as group members. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + exclusive?: bool + + groupId?: str + + memberGroupIds?: [str] + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. If set to true, allows the resource to manage member group ids exclusively. Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign member entities to. ID of the group. + memberGroupIds : [str], default is Undefined, optional + List of member groups that belong to the group Group IDs to be assigned as group members. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + exclusive?: bool + + groupId?: str + + memberGroupIds?: [str] + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatus: + r""" + GroupMemberGroupIdsStatus defines the observed state of GroupMemberGroupIds. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatusAtProvider: + r""" + identity vault upbound io v1alpha1 group member group ids status at provider + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. If set to true, allows the resource to manage member group ids exclusively. Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign member entities to. ID of the group. + id : str, default is Undefined, optional + id + memberGroupIds : [str], default is Undefined, optional + List of member groups that belong to the group Group IDs to be assigned as group members. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + exclusive?: bool + + groupId?: str + + id?: str + + memberGroupIds?: [str] + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupMemberGroupIdsStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_policies.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_policies.k new file mode 100644 index 00000000..0e516570 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_group_policies.k @@ -0,0 +1,383 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema GroupPolicies: + r""" + GroupPolicies is the Schema for the GroupPoliciess API. Manages policies for an Identity Group for Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "GroupPolicies", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1GroupPoliciesStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "GroupPolicies" = "GroupPolicies" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpec + + status?: IdentityVaultUpboundIoV1alpha1GroupPoliciesStatus + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpec: + r""" + GroupPoliciesSpec defines the desired state of GroupPolicies + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecForProvider: + r""" + identity vault upbound io v1alpha1 group policies spec for provider + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign policies to. ID of the group. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies to assign to the group Policies to be tied to the group. + """ + + + exclusive?: bool + + groupId?: str + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign policies to. ID of the group. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies to assign to the group Policies to be tied to the group. + """ + + + exclusive?: bool + + groupId?: str + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesStatus: + r""" + GroupPoliciesStatus defines the observed state of GroupPolicies. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1GroupPoliciesStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1GroupPoliciesStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1GroupPoliciesStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1GroupPoliciesStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesStatusAtProvider: + r""" + identity vault upbound io v1alpha1 group policies status at provider + + Attributes + ---------- + exclusive : bool, default is Undefined, optional + Defaults to true. Should the resource manage policies exclusively? Beware of race conditions when disabling exclusive management + groupId : str, default is Undefined, optional + Group ID to assign policies to. ID of the group. + groupName : str, default is Undefined, optional + The name of the group that are assigned the policies. Name of the group. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies to assign to the group Policies to be tied to the group. + """ + + + exclusive?: bool + + groupId?: str + + groupName?: str + + id?: str + + namespace?: str + + policies?: [str] + + +schema IdentityVaultUpboundIoV1alpha1GroupPoliciesStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_duo.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_duo.k new file mode 100644 index 00000000..7e2cfa80 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_duo.k @@ -0,0 +1,471 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema MfaDuo: + r""" + MfaDuo is the Schema for the MfaDuos API. Resource for configuring the duo MFA method. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "MfaDuo", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1MfaDuoSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1MfaDuoStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "MfaDuo" = "MfaDuo" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1MfaDuoSpec + + status?: IdentityVaultUpboundIoV1alpha1MfaDuoStatus + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpec: + r""" + MfaDuoSpec defines the desired state of MfaDuo + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1MfaDuoSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1MfaDuoSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProvider: + r""" + identity vault upbound io v1alpha1 mfa duo spec for provider + + Attributes + ---------- + apiHostname : str, default is Undefined, optional + API hostname for Duo API hostname for Duo + integrationKeySecretRef : IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProviderIntegrationKeySecretRef, default is Undefined, optional + integration key secret ref + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + pushInfo : str, default is Undefined, optional + Push information for Duo. Push information for Duo. + secretKeySecretRef : IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProviderSecretKeySecretRef, default is Undefined, optional + secret key secret ref + usePasscode : bool, default is Undefined, optional + Require passcode upon MFA validation. Require passcode upon MFA validation. + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + """ + + + apiHostname?: str + + integrationKeySecretRef?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProviderIntegrationKeySecretRef + + namespace?: str + + pushInfo?: str + + secretKeySecretRef?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProviderSecretKeySecretRef + + usePasscode?: bool + + usernameFormat?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProviderIntegrationKeySecretRef: + r""" + Integration key for Duo Integration key for Duo + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecForProviderSecretKeySecretRef: + r""" + Secret key for Duo Secret key for Duo + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + apiHostname : str, default is Undefined, optional + API hostname for Duo API hostname for Duo + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + pushInfo : str, default is Undefined, optional + Push information for Duo. Push information for Duo. + usePasscode : bool, default is Undefined, optional + Require passcode upon MFA validation. Require passcode upon MFA validation. + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + """ + + + apiHostname?: str + + namespace?: str + + pushInfo?: str + + usePasscode?: bool + + usernameFormat?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoStatus: + r""" + MfaDuoStatus defines the observed state of MfaDuo. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1MfaDuoStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1MfaDuoStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1MfaDuoStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1MfaDuoStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoStatusAtProvider: + r""" + identity vault upbound io v1alpha1 mfa duo status at provider + + Attributes + ---------- + apiHostname : str, default is Undefined, optional + API hostname for Duo API hostname for Duo + id : str, default is Undefined, optional + id + methodId : str, default is Undefined, optional + Method ID. Method ID. + mountAccessor : str, default is Undefined, optional + Mount accessor. Mount accessor. + name : str, default is Undefined, optional + Method name. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + namespaceId : str, default is Undefined, optional + Method's namespace ID. Method's namespace ID. + namespacePath : str, default is Undefined, optional + Method's namespace path. Method's namespace path. + pushInfo : str, default is Undefined, optional + Push information for Duo. Push information for Duo. + $type : str, default is Undefined, optional + MFA type. MFA type. + usePasscode : bool, default is Undefined, optional + Require passcode upon MFA validation. Require passcode upon MFA validation. + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + uuid : str, default is Undefined, optional + Resource UUID. Resource UUID. + """ + + + apiHostname?: str + + id?: str + + methodId?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + namespaceId?: str + + namespacePath?: str + + pushInfo?: str + + $type?: str + + usePasscode?: bool + + usernameFormat?: str + + uuid?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaDuoStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_login_enforcement.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_login_enforcement.k new file mode 100644 index 00000000..d04a3877 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_login_enforcement.k @@ -0,0 +1,427 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema MfaLoginEnforcement: + r""" + MfaLoginEnforcement is the Schema for the MfaLoginEnforcements API. Resource for configuring MFA login-enforcement + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "MfaLoginEnforcement", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "MfaLoginEnforcement" = "MfaLoginEnforcement" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpec + + status?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatus + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpec: + r""" + MfaLoginEnforcementSpec defines the desired state of MfaLoginEnforcement + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecForProvider: + r""" + identity vault upbound io v1alpha1 mfa login enforcement spec for provider + + Attributes + ---------- + authMethodAccessors : [str], default is Undefined, optional + Set of auth method accessor IDs. Set of auth method accessor IDs. + authMethodTypes : [str], default is Undefined, optional + Set of auth method types. Set of auth method types. + identityEntityIds : [str], default is Undefined, optional + Set of identity entity IDs. Set of identity entity IDs. + identityGroupIds : [str], default is Undefined, optional + Set of identity group IDs. Set of identity group IDs. + mfaMethodIds : [str], default is Undefined, optional + Set of MFA method UUIDs. Set of MFA method UUIDs. + name : str, default is Undefined, optional + Login enforcement name. Login enforcement name. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + """ + + + authMethodAccessors?: [str] + + authMethodTypes?: [str] + + identityEntityIds?: [str] + + identityGroupIds?: [str] + + mfaMethodIds?: [str] + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + authMethodAccessors : [str], default is Undefined, optional + Set of auth method accessor IDs. Set of auth method accessor IDs. + authMethodTypes : [str], default is Undefined, optional + Set of auth method types. Set of auth method types. + identityEntityIds : [str], default is Undefined, optional + Set of identity entity IDs. Set of identity entity IDs. + identityGroupIds : [str], default is Undefined, optional + Set of identity group IDs. Set of identity group IDs. + mfaMethodIds : [str], default is Undefined, optional + Set of MFA method UUIDs. Set of MFA method UUIDs. + name : str, default is Undefined, optional + Login enforcement name. Login enforcement name. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + """ + + + authMethodAccessors?: [str] + + authMethodTypes?: [str] + + identityEntityIds?: [str] + + identityGroupIds?: [str] + + mfaMethodIds?: [str] + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatus: + r""" + MfaLoginEnforcementStatus defines the observed state of MfaLoginEnforcement. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatusAtProvider: + r""" + identity vault upbound io v1alpha1 mfa login enforcement status at provider + + Attributes + ---------- + authMethodAccessors : [str], default is Undefined, optional + Set of auth method accessor IDs. Set of auth method accessor IDs. + authMethodTypes : [str], default is Undefined, optional + Set of auth method types. Set of auth method types. + id : str, default is Undefined, optional + id + identityEntityIds : [str], default is Undefined, optional + Set of identity entity IDs. Set of identity entity IDs. + identityGroupIds : [str], default is Undefined, optional + Set of identity group IDs. Set of identity group IDs. + mfaMethodIds : [str], default is Undefined, optional + Set of MFA method UUIDs. Set of MFA method UUIDs. + name : str, default is Undefined, optional + Login enforcement name. Login enforcement name. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + namespaceId : str, default is Undefined, optional + Method's namespace ID. Method's namespace ID. + namespacePath : str, default is Undefined, optional + Method's namespace path. Method's namespace path. + uuid : str, default is Undefined, optional + Resource UUID. Resource UUID. + """ + + + authMethodAccessors?: [str] + + authMethodTypes?: [str] + + id?: str + + identityEntityIds?: [str] + + identityGroupIds?: [str] + + mfaMethodIds?: [str] + + name?: str + + namespace?: str + + namespaceId?: str + + namespacePath?: str + + uuid?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaLoginEnforcementStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_okta.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_okta.k new file mode 100644 index 00000000..3ee8feda --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_okta.k @@ -0,0 +1,445 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema MfaOkta: + r""" + MfaOkta is the Schema for the MfaOktas API. Resource for configuring the okta MFA method. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "MfaOkta", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1MfaOktaSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1MfaOktaStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "MfaOkta" = "MfaOkta" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1MfaOktaSpec + + status?: IdentityVaultUpboundIoV1alpha1MfaOktaStatus + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpec: + r""" + MfaOktaSpec defines the desired state of MfaOkta + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1MfaOktaSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1MfaOktaSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1MfaOktaSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1MfaOktaSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecForProvider: + r""" + identity vault upbound io v1alpha1 mfa okta spec for provider + + Attributes + ---------- + apiTokenSecretRef : IdentityVaultUpboundIoV1alpha1MfaOktaSpecForProviderAPITokenSecretRef, default is Undefined, optional + api token secret ref + baseUrl : str, default is Undefined, optional + The base domain to use for API requests. The base domain to use for API requests. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + orgName : str, default is Undefined, optional + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. + primaryEmail : bool, default is Undefined, optional + Only match the primary email for the account. Only match the primary email for the account. + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + """ + + + apiTokenSecretRef?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecForProviderAPITokenSecretRef + + baseUrl?: str + + namespace?: str + + orgName?: str + + primaryEmail?: bool + + usernameFormat?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecForProviderAPITokenSecretRef: + r""" + Okta API token. Okta API token. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + baseUrl : str, default is Undefined, optional + The base domain to use for API requests. The base domain to use for API requests. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + orgName : str, default is Undefined, optional + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. + primaryEmail : bool, default is Undefined, optional + Only match the primary email for the account. Only match the primary email for the account. + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + """ + + + baseUrl?: str + + namespace?: str + + orgName?: str + + primaryEmail?: bool + + usernameFormat?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaStatus: + r""" + MfaOktaStatus defines the observed state of MfaOkta. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1MfaOktaStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1MfaOktaStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1MfaOktaStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1MfaOktaStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaStatusAtProvider: + r""" + identity vault upbound io v1alpha1 mfa okta status at provider + + Attributes + ---------- + baseUrl : str, default is Undefined, optional + The base domain to use for API requests. The base domain to use for API requests. + id : str, default is Undefined, optional + id + methodId : str, default is Undefined, optional + Method ID. Method ID. + mountAccessor : str, default is Undefined, optional + Mount accessor. Mount accessor. + name : str, default is Undefined, optional + Method name. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + namespaceId : str, default is Undefined, optional + Method's namespace ID. Method's namespace ID. + namespacePath : str, default is Undefined, optional + Method's namespace path. Method's namespace path. + orgName : str, default is Undefined, optional + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. + primaryEmail : bool, default is Undefined, optional + Only match the primary email for the account. Only match the primary email for the account. + $type : str, default is Undefined, optional + MFA type. MFA type. + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + uuid : str, default is Undefined, optional + Resource UUID. Resource UUID. + """ + + + baseUrl?: str + + id?: str + + methodId?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + namespaceId?: str + + namespacePath?: str + + orgName?: str + + primaryEmail?: bool + + $type?: str + + usernameFormat?: str + + uuid?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaOktaStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_pingid.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_pingid.k new file mode 100644 index 00000000..cdd2e4ce --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_pingid.k @@ -0,0 +1,415 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema MfaPingid: + r""" + MfaPingid is the Schema for the MfaPingids API. Resource for configuring the pingid MFA method. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "MfaPingid", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1MfaPingidSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1MfaPingidStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "MfaPingid" = "MfaPingid" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1MfaPingidSpec + + status?: IdentityVaultUpboundIoV1alpha1MfaPingidStatus + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpec: + r""" + MfaPingidSpec defines the desired state of MfaPingid + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1MfaPingidSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1MfaPingidSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1MfaPingidSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1MfaPingidSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecForProvider: + r""" + identity vault upbound io v1alpha1 mfa pingid spec for provider + + Attributes + ---------- + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + settingsFileBase64 : str, default is Undefined, optional + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. A base64-encoded third-party settings contents as retrieved from PingID's configuration page. + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + """ + + + namespace?: str + + settingsFileBase64?: str + + usernameFormat?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + settingsFileBase64 : str, default is Undefined, optional + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. A base64-encoded third-party settings contents as retrieved from PingID's configuration page. + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + """ + + + namespace?: str + + settingsFileBase64?: str + + usernameFormat?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidStatus: + r""" + MfaPingidStatus defines the observed state of MfaPingid. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1MfaPingidStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1MfaPingidStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1MfaPingidStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1MfaPingidStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidStatusAtProvider: + r""" + identity vault upbound io v1alpha1 mfa pingid status at provider + + Attributes + ---------- + adminUrl : str, default is Undefined, optional + The admin URL, derived from "settings_file_base64" The admin URL, derived from "settings_file_base64" + authenticatorUrl : str, default is Undefined, optional + A unique identifier of the organization, derived from "settings_file_base64" A unique identifier of the organization, derived from "settings_file_base64" + id : str, default is Undefined, optional + id + idpUrl : str, default is Undefined, optional + The IDP URL, derived from "settings_file_base64" The IDP URL, derived from "settings_file_base64" + methodId : str, default is Undefined, optional + Method ID. Method ID. + mountAccessor : str, default is Undefined, optional + Mount accessor. Mount accessor. + name : str, default is Undefined, optional + Method name. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + namespaceId : str, default is Undefined, optional + Method's namespace ID. Method's namespace ID. + namespacePath : str, default is Undefined, optional + Method's namespace path. Method's namespace path. + orgAlias : str, default is Undefined, optional + The name of the PingID client organization, derived from "settings_file_base64" The name of the PingID client organization, derived from "settings_file_base64" + settingsFileBase64 : str, default is Undefined, optional + A base64-encoded third-party settings contents as retrieved from PingID's configuration page. A base64-encoded third-party settings contents as retrieved from PingID's configuration page. + $type : str, default is Undefined, optional + MFA type. MFA type. + useSignature : bool, default is Undefined, optional + Use signature value, derived from "settings_file_base64" Use signature value, derived from "settings_file_base64" + usernameFormat : str, default is Undefined, optional + A template string for mapping Identity names to MFA methods. A template string for mapping Identity names to MFA methods. + uuid : str, default is Undefined, optional + Resource UUID. Resource UUID. + """ + + + adminUrl?: str + + authenticatorUrl?: str + + id?: str + + idpUrl?: str + + methodId?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + namespaceId?: str + + namespacePath?: str + + orgAlias?: str + + settingsFileBase64?: str + + $type?: str + + useSignature?: bool + + usernameFormat?: str + + uuid?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaPingidStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_totp.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_totp.k new file mode 100644 index 00000000..9884971a --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_mfa_totp.k @@ -0,0 +1,467 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema MfaTotp: + r""" + MfaTotp is the Schema for the MfaTotps API. Resource for configuring the totp MFA method. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "MfaTotp", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1MfaTotpSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1MfaTotpStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "MfaTotp" = "MfaTotp" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1MfaTotpSpec + + status?: IdentityVaultUpboundIoV1alpha1MfaTotpStatus + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpec: + r""" + MfaTotpSpec defines the desired state of MfaTotp + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1MfaTotpSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1MfaTotpSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1MfaTotpSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1MfaTotpSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecForProvider: + r""" + identity vault upbound io v1alpha1 mfa totp spec for provider + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. + digits : float, default is Undefined, optional + The number of digits in the generated TOTP token. This value can either be 6 or 8 The number of digits in the generated TOTP token. This value can either be 6 or 8 + issuer : str, default is Undefined, optional + The name of the key's issuing organization. The name of the key's issuing organization. + keySize : float, default is Undefined, optional + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. + maxValidationAttempts : float, default is Undefined, optional + The maximum number of consecutive failed validation attempts allowed. The maximum number of consecutive failed validation attempts allowed. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + period : float, default is Undefined, optional + The length of time in seconds used to generate a counter for the TOTP token calculation. The length of time in seconds used to generate a counter for the TOTP token calculation. + qrSize : float, default is Undefined, optional + The pixel size of the generated square QR code. The pixel size of the generated square QR code. + skew : float, default is Undefined, optional + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + """ + + + algorithm?: str + + digits?: float + + issuer?: str + + keySize?: float + + maxValidationAttempts?: float + + namespace?: str + + period?: float + + qrSize?: float + + skew?: float + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. + digits : float, default is Undefined, optional + The number of digits in the generated TOTP token. This value can either be 6 or 8 The number of digits in the generated TOTP token. This value can either be 6 or 8 + issuer : str, default is Undefined, optional + The name of the key's issuing organization. The name of the key's issuing organization. + keySize : float, default is Undefined, optional + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. + maxValidationAttempts : float, default is Undefined, optional + The maximum number of consecutive failed validation attempts allowed. The maximum number of consecutive failed validation attempts allowed. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + period : float, default is Undefined, optional + The length of time in seconds used to generate a counter for the TOTP token calculation. The length of time in seconds used to generate a counter for the TOTP token calculation. + qrSize : float, default is Undefined, optional + The pixel size of the generated square QR code. The pixel size of the generated square QR code. + skew : float, default is Undefined, optional + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + """ + + + algorithm?: str + + digits?: float + + issuer?: str + + keySize?: float + + maxValidationAttempts?: float + + namespace?: str + + period?: float + + qrSize?: float + + skew?: float + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpStatus: + r""" + MfaTotpStatus defines the observed state of MfaTotp. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1MfaTotpStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1MfaTotpStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1MfaTotpStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1MfaTotpStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpStatusAtProvider: + r""" + identity vault upbound io v1alpha1 mfa totp status at provider + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512. + digits : float, default is Undefined, optional + The number of digits in the generated TOTP token. This value can either be 6 or 8 The number of digits in the generated TOTP token. This value can either be 6 or 8 + id : str, default is Undefined, optional + id + issuer : str, default is Undefined, optional + The name of the key's issuing organization. The name of the key's issuing organization. + keySize : float, default is Undefined, optional + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. + maxValidationAttempts : float, default is Undefined, optional + The maximum number of consecutive failed validation attempts allowed. The maximum number of consecutive failed validation attempts allowed. + methodId : str, default is Undefined, optional + Method ID. Method ID. + mountAccessor : str, default is Undefined, optional + Mount accessor. Mount accessor. + name : str, default is Undefined, optional + Method name. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) Target namespace. (requires Enterprise) + namespaceId : str, default is Undefined, optional + Method's namespace ID. Method's namespace ID. + namespacePath : str, default is Undefined, optional + Method's namespace path. Method's namespace path. + period : float, default is Undefined, optional + The length of time in seconds used to generate a counter for the TOTP token calculation. The length of time in seconds used to generate a counter for the TOTP token calculation. + qrSize : float, default is Undefined, optional + The pixel size of the generated square QR code. The pixel size of the generated square QR code. + skew : float, default is Undefined, optional + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + $type : str, default is Undefined, optional + MFA type. MFA type. + uuid : str, default is Undefined, optional + Resource UUID. Resource UUID. + """ + + + algorithm?: str + + digits?: float + + id?: str + + issuer?: str + + keySize?: float + + maxValidationAttempts?: float + + methodId?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + namespaceId?: str + + namespacePath?: str + + period?: float + + qrSize?: float + + skew?: float + + $type?: str + + uuid?: str + + +schema IdentityVaultUpboundIoV1alpha1MfaTotpStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc.k new file mode 100644 index 00000000..2a663623 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc.k @@ -0,0 +1,355 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Oidc: + r""" + Oidc is the Schema for the Oidcs API. Configure the Identity Tokens Backend for Vault + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Oidc", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1OidcSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1OidcStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "Oidc" = "Oidc" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1OidcSpec + + status?: IdentityVaultUpboundIoV1alpha1OidcStatus + + +schema IdentityVaultUpboundIoV1alpha1OidcSpec: + r""" + OidcSpec defines the desired state of Oidc + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1OidcSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1OidcSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1OidcSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1OidcSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1OidcSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1OidcSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1OidcSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1OidcSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1OidcSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1OidcSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecForProvider: + r""" + identity vault upbound io v1alpha1 oidc spec for provider + + Attributes + ---------- + issuer : str, default is Undefined, optional + Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + issuer?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + issuer : str, default is Undefined, optional + Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + issuer?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1OidcStatus: + r""" + OidcStatus defines the observed state of Oidc. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1OidcStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1OidcStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1OidcStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1OidcStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1OidcStatusAtProvider: + r""" + identity vault upbound io v1alpha1 oidc status at provider + + Attributes + ---------- + id : str, default is Undefined, optional + id + issuer : str, default is Undefined, optional + Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + id?: str + + issuer?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_assignment.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_assignment.k new file mode 100644 index 00000000..98493a58 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_assignment.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema OidcAssignment: + r""" + OidcAssignment is the Schema for the OidcAssignments API. Provision OIDC Assignments in Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "OidcAssignment", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1OidcAssignmentStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "OidcAssignment" = "OidcAssignment" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpec + + status?: IdentityVaultUpboundIoV1alpha1OidcAssignmentStatus + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpec: + r""" + OidcAssignmentSpec defines the desired state of OidcAssignment + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecForProvider: + r""" + identity vault upbound io v1alpha1 oidc assignment spec for provider + + Attributes + ---------- + entityIds : [str], default is Undefined, optional + A set of Vault entity IDs. A list of Vault entity IDs. + groupIds : [str], default is Undefined, optional + A set of Vault group IDs. A list of Vault group IDs. + name : str, default is Undefined, optional + The name of the assignment. The name of the assignment. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + entityIds?: [str] + + groupIds?: [str] + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + entityIds : [str], default is Undefined, optional + A set of Vault entity IDs. A list of Vault entity IDs. + groupIds : [str], default is Undefined, optional + A set of Vault group IDs. A list of Vault group IDs. + name : str, default is Undefined, optional + The name of the assignment. The name of the assignment. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + entityIds?: [str] + + groupIds?: [str] + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentStatus: + r""" + OidcAssignmentStatus defines the observed state of OidcAssignment. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1OidcAssignmentStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1OidcAssignmentStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1OidcAssignmentStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1OidcAssignmentStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentStatusAtProvider: + r""" + identity vault upbound io v1alpha1 oidc assignment status at provider + + Attributes + ---------- + entityIds : [str], default is Undefined, optional + A set of Vault entity IDs. A list of Vault entity IDs. + groupIds : [str], default is Undefined, optional + A set of Vault group IDs. A list of Vault group IDs. + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the assignment. The name of the assignment. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + entityIds?: [str] + + groupIds?: [str] + + id?: str + + name?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcAssignmentStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_client.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_client.k new file mode 100644 index 00000000..2e298679 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_client.k @@ -0,0 +1,431 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema OidcClient: + r""" + OidcClient is the Schema for the OidcClients API. Provision OIDC Clients in Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "OidcClient", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1OidcClientSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1OidcClientStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "OidcClient" = "OidcClient" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1OidcClientSpec + + status?: IdentityVaultUpboundIoV1alpha1OidcClientStatus + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpec: + r""" + OidcClientSpec defines the desired state of OidcClient + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1OidcClientSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1OidcClientSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1OidcClientSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1OidcClientSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1OidcClientSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1OidcClientSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecForProvider: + r""" + identity vault upbound io v1alpha1 oidc client spec for provider + + Attributes + ---------- + accessTokenTtl : float, default is Undefined, optional + The time-to-live for access tokens obtained by the client. The time-to-live for access tokens obtained by the client. + assignments : [str], default is Undefined, optional + A list of assignment resources associated with the client. A list of assignment resources associated with the client. + clientType : str, default is Undefined, optional + The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: confidential, public. Defaults to confidential. The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'. + idTokenTtl : float, default is Undefined, optional + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. + key : str, default is Undefined, optional + A reference to a named key resource in Vault. This cannot be modified after creation. If not provided, the default key is used. A reference to a named key resource in Vault. This cannot be modified after creation. + name : str, default is Undefined, optional + The name of the client. The name of the client. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + redirectUris : [str], default is Undefined, optional + Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. + """ + + + accessTokenTtl?: float + + assignments?: [str] + + clientType?: str + + idTokenTtl?: float + + key?: str + + name?: str + + namespace?: str + + redirectUris?: [str] + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + accessTokenTtl : float, default is Undefined, optional + The time-to-live for access tokens obtained by the client. The time-to-live for access tokens obtained by the client. + assignments : [str], default is Undefined, optional + A list of assignment resources associated with the client. A list of assignment resources associated with the client. + clientType : str, default is Undefined, optional + The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: confidential, public. Defaults to confidential. The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'. + idTokenTtl : float, default is Undefined, optional + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. + key : str, default is Undefined, optional + A reference to a named key resource in Vault. This cannot be modified after creation. If not provided, the default key is used. A reference to a named key resource in Vault. This cannot be modified after creation. + name : str, default is Undefined, optional + The name of the client. The name of the client. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + redirectUris : [str], default is Undefined, optional + Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. + """ + + + accessTokenTtl?: float + + assignments?: [str] + + clientType?: str + + idTokenTtl?: float + + key?: str + + name?: str + + namespace?: str + + redirectUris?: [str] + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcClientSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1OidcClientStatus: + r""" + OidcClientStatus defines the observed state of OidcClient. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1OidcClientStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1OidcClientStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1OidcClientStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1OidcClientStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1OidcClientStatusAtProvider: + r""" + identity vault upbound io v1alpha1 oidc client status at provider + + Attributes + ---------- + accessTokenTtl : float, default is Undefined, optional + The time-to-live for access tokens obtained by the client. The time-to-live for access tokens obtained by the client. + assignments : [str], default is Undefined, optional + A list of assignment resources associated with the client. A list of assignment resources associated with the client. + clientId : str, default is Undefined, optional + The Client ID from Vault. + clientType : str, default is Undefined, optional + The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: confidential, public. Defaults to confidential. The client type based on its ability to maintain confidentiality of credentials.Defaults to 'confidential'. + id : str, default is Undefined, optional + id + idTokenTtl : float, default is Undefined, optional + The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. The time-to-live for ID tokens obtained by the client. The value should be less than the verification_ttl on the key. + key : str, default is Undefined, optional + A reference to a named key resource in Vault. This cannot be modified after creation. If not provided, the default key is used. A reference to a named key resource in Vault. This cannot be modified after creation. + name : str, default is Undefined, optional + The name of the client. The name of the client. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + redirectUris : [str], default is Undefined, optional + Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. Redirection URI values used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. + """ + + + accessTokenTtl?: float + + assignments?: [str] + + clientId?: str + + clientType?: str + + id?: str + + idTokenTtl?: float + + key?: str + + name?: str + + namespace?: str + + redirectUris?: [str] + + +schema IdentityVaultUpboundIoV1alpha1OidcClientStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_key.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_key.k new file mode 100644 index 00000000..560cdb47 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_key.k @@ -0,0 +1,403 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema OidcKey: + r""" + OidcKey is the Schema for the OidcKeys API. Creates an Identity OIDC Named Key for Vault + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "OidcKey", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1OidcKeySpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1OidcKeyStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "OidcKey" = "OidcKey" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1OidcKeySpec + + status?: IdentityVaultUpboundIoV1alpha1OidcKeyStatus + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpec: + r""" + OidcKeySpec defines the desired state of OidcKey + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1OidcKeySpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1OidcKeySpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1OidcKeySpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1OidcKeySpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1OidcKeySpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1OidcKeySpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecForProvider: + r""" + identity vault upbound io v1alpha1 oidc key spec for provider + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. + allowedClientIds : [str], default is Undefined, optional + : Array of role client ID allowed to use this key for signing. If empty, no roles are allowed. If ["*"], all roles are allowed. Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. + name : str, default is Undefined, optional + Name of the OIDC Key to create. Name of the key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + rotationPeriod : float, default is Undefined, optional + How often to generate a new signing key in number of seconds How often to generate a new signing key in number of seconds + verificationTtl : float, default is Undefined, optional + "Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. + """ + + + algorithm?: str + + allowedClientIds?: [str] + + name?: str + + namespace?: str + + rotationPeriod?: float + + verificationTtl?: float + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. + allowedClientIds : [str], default is Undefined, optional + : Array of role client ID allowed to use this key for signing. If empty, no roles are allowed. If ["*"], all roles are allowed. Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. + name : str, default is Undefined, optional + Name of the OIDC Key to create. Name of the key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + rotationPeriod : float, default is Undefined, optional + How often to generate a new signing key in number of seconds How often to generate a new signing key in number of seconds + verificationTtl : float, default is Undefined, optional + "Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. + """ + + + algorithm?: str + + allowedClientIds?: [str] + + name?: str + + namespace?: str + + rotationPeriod?: float + + verificationTtl?: float + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeySpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyStatus: + r""" + OidcKeyStatus defines the observed state of OidcKey. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1OidcKeyStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1OidcKeyStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1OidcKeyStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1OidcKeyStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyStatusAtProvider: + r""" + identity vault upbound io v1alpha1 oidc key status at provider + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA. + allowedClientIds : [str], default is Undefined, optional + : Array of role client ID allowed to use this key for signing. If empty, no roles are allowed. If ["*"], all roles are allowed. Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. + id : str, default is Undefined, optional + The name of the created key. + name : str, default is Undefined, optional + Name of the OIDC Key to create. Name of the key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + rotationPeriod : float, default is Undefined, optional + How often to generate a new signing key in number of seconds How often to generate a new signing key in number of seconds + verificationTtl : float, default is Undefined, optional + "Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. Controls how long the public portion of a signing key will be available for verification after being rotated in seconds. + """ + + + algorithm?: str + + allowedClientIds?: [str] + + id?: str + + name?: str + + namespace?: str + + rotationPeriod?: float + + verificationTtl?: float + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_key_allowed_client_id.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_key_allowed_client_id.k new file mode 100644 index 00000000..53753d84 --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_key_allowed_client_id.k @@ -0,0 +1,367 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema OidcKeyAllowedClientID: + r""" + OidcKeyAllowedClientID is the Schema for the OidcKeyAllowedClientIDs API. Allows an Identity OIDC Role to use an OIDC Named key. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "OidcKeyAllowedClientID", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "OidcKeyAllowedClientID" = "OidcKeyAllowedClientID" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpec + + status?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatus + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpec: + r""" + OidcKeyAllowedClientIDSpec defines the desired state of OidcKeyAllowedClientID + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecForProvider: + r""" + identity vault upbound io v1alpha1 oidc key allowed client ID spec for provider + + Attributes + ---------- + allowedClientId : str, default is Undefined, optional + Client ID to allow usage with the OIDC named key Role Client ID allowed to use the key for signing. + keyName : str, default is Undefined, optional + Name of the OIDC Key allow the Client ID. Name of the key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + allowedClientId?: str + + keyName?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedClientId : str, default is Undefined, optional + Client ID to allow usage with the OIDC named key Role Client ID allowed to use the key for signing. + keyName : str, default is Undefined, optional + Name of the OIDC Key allow the Client ID. Name of the key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + allowedClientId?: str + + keyName?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatus: + r""" + OidcKeyAllowedClientIDStatus defines the observed state of OidcKeyAllowedClientID. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatusAtProvider: + r""" + identity vault upbound io v1alpha1 oidc key allowed client ID status at provider + + Attributes + ---------- + allowedClientId : str, default is Undefined, optional + Client ID to allow usage with the OIDC named key Role Client ID allowed to use the key for signing. + id : str, default is Undefined, optional + id + keyName : str, default is Undefined, optional + Name of the OIDC Key allow the Client ID. Name of the key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + allowedClientId?: str + + id?: str + + keyName?: str + + namespace?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcKeyAllowedClientIDStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_provider.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_provider.k new file mode 100644 index 00000000..c56497ad --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_provider.k @@ -0,0 +1,407 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema OidcProvider: + r""" + OidcProvider is the Schema for the OidcProviders API. Provision OIDC Providers in Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "OidcProvider", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1OidcProviderSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1OidcProviderStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "OidcProvider" = "OidcProvider" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1OidcProviderSpec + + status?: IdentityVaultUpboundIoV1alpha1OidcProviderStatus + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpec: + r""" + OidcProviderSpec defines the desired state of OidcProvider + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1OidcProviderSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1OidcProviderSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1OidcProviderSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1OidcProviderSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecForProvider: + r""" + identity vault upbound io v1alpha1 oidc provider spec for provider + + Attributes + ---------- + allowedClientIds : [str], default is Undefined, optional + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If *, all clients are allowed. The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. + httpsEnabled : bool, default is Undefined, optional + Set to true if the issuer endpoint uses HTTPS. Set to true if the issuer endpoint uses HTTPS. + issuerHost : str, default is Undefined, optional + The host for the issuer. Can be either host or host:port. The host for the issuer. Can be either host or host:port. + name : str, default is Undefined, optional + The name of the provider. The name of the provider. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + scopesSupported : [str], default is Undefined, optional + The scopes available for requesting on the provider. The scopes available for requesting on the provider. + """ + + + allowedClientIds?: [str] + + httpsEnabled?: bool + + issuerHost?: str + + name?: str + + namespace?: str + + scopesSupported?: [str] + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedClientIds : [str], default is Undefined, optional + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If *, all clients are allowed. The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. + httpsEnabled : bool, default is Undefined, optional + Set to true if the issuer endpoint uses HTTPS. Set to true if the issuer endpoint uses HTTPS. + issuerHost : str, default is Undefined, optional + The host for the issuer. Can be either host or host:port. The host for the issuer. Can be either host or host:port. + name : str, default is Undefined, optional + The name of the provider. The name of the provider. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + scopesSupported : [str], default is Undefined, optional + The scopes available for requesting on the provider. The scopes available for requesting on the provider. + """ + + + allowedClientIds?: [str] + + httpsEnabled?: bool + + issuerHost?: str + + name?: str + + namespace?: str + + scopesSupported?: [str] + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderStatus: + r""" + OidcProviderStatus defines the observed state of OidcProvider. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1OidcProviderStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1OidcProviderStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1OidcProviderStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1OidcProviderStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderStatusAtProvider: + r""" + identity vault upbound io v1alpha1 oidc provider status at provider + + Attributes + ---------- + allowedClientIds : [str], default is Undefined, optional + The client IDs that are permitted to use the provider. If empty, no clients are allowed. If *, all clients are allowed. The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. + httpsEnabled : bool, default is Undefined, optional + Set to true if the issuer endpoint uses HTTPS. Set to true if the issuer endpoint uses HTTPS. + id : str, default is Undefined, optional + id + issuer : str, default is Undefined, optional + Specifies what will be used as the scheme://host:port component for the iss claim of ID tokens. This value is computed using the issuer_host and https_enabled fields. Specifies what will be used as the 'scheme://host:port' component for the 'iss' claim of ID tokens.This value is computed using the issuer_host and https_enabled fields. + issuerHost : str, default is Undefined, optional + The host for the issuer. Can be either host or host:port. The host for the issuer. Can be either host or host:port. + name : str, default is Undefined, optional + The name of the provider. The name of the provider. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + scopesSupported : [str], default is Undefined, optional + The scopes available for requesting on the provider. The scopes available for requesting on the provider. + """ + + + allowedClientIds?: [str] + + httpsEnabled?: bool + + id?: str + + issuer?: str + + issuerHost?: str + + name?: str + + namespace?: str + + scopesSupported?: [str] + + +schema IdentityVaultUpboundIoV1alpha1OidcProviderStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_role.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_role.k new file mode 100644 index 00000000..9275d34f --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_role.k @@ -0,0 +1,403 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema OidcRole: + r""" + OidcRole is the Schema for the OidcRoles API. Creates an Identity OIDC Role for Vault + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "OidcRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1OidcRoleSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1OidcRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "OidcRole" = "OidcRole" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1OidcRoleSpec + + status?: IdentityVaultUpboundIoV1alpha1OidcRoleStatus + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpec: + r""" + OidcRoleSpec defines the desired state of OidcRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1OidcRoleSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1OidcRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1OidcRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1OidcRoleSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecForProvider: + r""" + identity vault upbound io v1alpha1 oidc role spec for provider + + Attributes + ---------- + clientId : str, default is Undefined, optional + The value that will be included in the aud field of all the OIDC identity tokens issued by this role The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role + key : str, default is Undefined, optional + A configured named key, the key must already exist before tokens can be issued. A configured named key, the key must already exist. + name : str, default is Undefined, optional + Name of the OIDC Role to create. Name of the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + template : str, default is Undefined, optional + The template string to use for generating tokens. This may be in string-ified JSON or base64 format. See the documentation for the template format. The template string to use for generating tokens. This may be in string-ified JSON or base64 format. + ttl : float, default is Undefined, optional + TTL of the tokens generated against the role in number of seconds. TTL of the tokens generated against the role in number of seconds. + """ + + + clientId?: str + + key?: str + + name?: str + + namespace?: str + + template?: str + + ttl?: float + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + clientId : str, default is Undefined, optional + The value that will be included in the aud field of all the OIDC identity tokens issued by this role The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role + key : str, default is Undefined, optional + A configured named key, the key must already exist before tokens can be issued. A configured named key, the key must already exist. + name : str, default is Undefined, optional + Name of the OIDC Role to create. Name of the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + template : str, default is Undefined, optional + The template string to use for generating tokens. This may be in string-ified JSON or base64 format. See the documentation for the template format. The template string to use for generating tokens. This may be in string-ified JSON or base64 format. + ttl : float, default is Undefined, optional + TTL of the tokens generated against the role in number of seconds. TTL of the tokens generated against the role in number of seconds. + """ + + + clientId?: str + + key?: str + + name?: str + + namespace?: str + + template?: str + + ttl?: float + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleStatus: + r""" + OidcRoleStatus defines the observed state of OidcRole. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1OidcRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1OidcRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1OidcRoleStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1OidcRoleStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleStatusAtProvider: + r""" + identity vault upbound io v1alpha1 oidc role status at provider + + Attributes + ---------- + clientId : str, default is Undefined, optional + The value that will be included in the aud field of all the OIDC identity tokens issued by this role The value that will be included in the `aud` field of all the OIDC identity tokens issued by this role + id : str, default is Undefined, optional + The name of the created role. + key : str, default is Undefined, optional + A configured named key, the key must already exist before tokens can be issued. A configured named key, the key must already exist. + name : str, default is Undefined, optional + Name of the OIDC Role to create. Name of the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + template : str, default is Undefined, optional + The template string to use for generating tokens. This may be in string-ified JSON or base64 format. See the documentation for the template format. The template string to use for generating tokens. This may be in string-ified JSON or base64 format. + ttl : float, default is Undefined, optional + TTL of the tokens generated against the role in number of seconds. TTL of the tokens generated against the role in number of seconds. + """ + + + clientId?: str + + id?: str + + key?: str + + name?: str + + namespace?: str + + template?: str + + ttl?: float + + +schema IdentityVaultUpboundIoV1alpha1OidcRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_scope.k b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_scope.k new file mode 100644 index 00000000..b7917a4b --- /dev/null +++ b/crossplane-provider-vault/identity/v1alpha1/identity_vault_upbound_io_v1alpha1_oidc_scope.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema OidcScope: + r""" + OidcScope is the Schema for the OidcScopes API. Provision OIDC Scopes in Vault. + + Attributes + ---------- + apiVersion : str, default is "identity.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "OidcScope", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : IdentityVaultUpboundIoV1alpha1OidcScopeSpec, default is Undefined, required + spec + status : IdentityVaultUpboundIoV1alpha1OidcScopeStatus, default is Undefined, optional + status + """ + + + apiVersion: "identity.vault.upbound.io/v1alpha1" = "identity.vault.upbound.io/v1alpha1" + + kind: "OidcScope" = "OidcScope" + + metadata?: v1.ObjectMeta + + spec: IdentityVaultUpboundIoV1alpha1OidcScopeSpec + + status?: IdentityVaultUpboundIoV1alpha1OidcScopeStatus + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpec: + r""" + OidcScopeSpec defines the desired state of OidcScope + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : IdentityVaultUpboundIoV1alpha1OidcScopeSpecForProvider, default is Undefined, required + for provider + initProvider : IdentityVaultUpboundIoV1alpha1OidcScopeSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : IdentityVaultUpboundIoV1alpha1OidcScopeSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: IdentityVaultUpboundIoV1alpha1OidcScopeSpecForProvider + + initProvider?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderConfigRef + + providerRef?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderRef + + publishConnectionDetailsTo?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecWriteConnectionSecretToRef + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecForProvider: + r""" + identity vault upbound io v1alpha1 oidc scope spec for provider + + Attributes + ---------- + description : str, default is Undefined, optional + A description of the scope. The scope's description. + name : str, default is Undefined, optional + The name of the scope. The openid scope name is reserved. The name of the scope. The openid scope name is reserved. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + template : str, default is Undefined, optional + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. + """ + + + description?: str + + name?: str + + namespace?: str + + template?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + description : str, default is Undefined, optional + A description of the scope. The scope's description. + name : str, default is Undefined, optional + The name of the scope. The openid scope name is reserved. The name of the scope. The openid scope name is reserved. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + template : str, default is Undefined, optional + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. + """ + + + description?: str + + name?: str + + namespace?: str + + template?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToConfigRef + + metadata?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToMetadata + + name: str + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToConfigRefPolicy + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeStatus: + r""" + OidcScopeStatus defines the observed state of OidcScope. + + Attributes + ---------- + atProvider : IdentityVaultUpboundIoV1alpha1OidcScopeStatusAtProvider, default is Undefined, optional + at provider + conditions : [IdentityVaultUpboundIoV1alpha1OidcScopeStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: IdentityVaultUpboundIoV1alpha1OidcScopeStatusAtProvider + + conditions?: [IdentityVaultUpboundIoV1alpha1OidcScopeStatusConditionsItems0] + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeStatusAtProvider: + r""" + identity vault upbound io v1alpha1 oidc scope status at provider + + Attributes + ---------- + description : str, default is Undefined, optional + A description of the scope. The scope's description. + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the scope. The openid scope name is reserved. The name of the scope. The openid scope name is reserved. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + template : str, default is Undefined, optional + The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. + """ + + + description?: str + + id?: str + + name?: str + + namespace?: str + + template?: str + + +schema IdentityVaultUpboundIoV1alpha1OidcScopeStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/jwt/v1alpha1/jwt_vault_upbound_io_v1alpha1_auth_backend.k b/crossplane-provider-vault/jwt/v1alpha1/jwt_vault_upbound_io_v1alpha1_auth_backend.k new file mode 100644 index 00000000..602c7490 --- /dev/null +++ b/crossplane-provider-vault/jwt/v1alpha1/jwt_vault_upbound_io_v1alpha1_auth_backend.k @@ -0,0 +1,727 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackend: + r""" + AuthBackend is the Schema for the AuthBackends API. Managing JWT/OIDC auth backends in Vault + + Attributes + ---------- + apiVersion : str, default is "jwt.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : JwtVaultUpboundIoV1alpha1AuthBackendSpec, default is Undefined, required + spec + status : JwtVaultUpboundIoV1alpha1AuthBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "jwt.vault.upbound.io/v1alpha1" = "jwt.vault.upbound.io/v1alpha1" + + kind: "AuthBackend" = "AuthBackend" + + metadata?: v1.ObjectMeta + + spec: JwtVaultUpboundIoV1alpha1AuthBackendSpec + + status?: JwtVaultUpboundIoV1alpha1AuthBackendStatus + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpec: + r""" + AuthBackendSpec defines the desired state of AuthBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : JwtVaultUpboundIoV1alpha1AuthBackendSpecForProvider, default is Undefined, required + for provider + initProvider : JwtVaultUpboundIoV1alpha1AuthBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : JwtVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: JwtVaultUpboundIoV1alpha1AuthBackendSpecForProvider + + initProvider?: JwtVaultUpboundIoV1alpha1AuthBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef + + providerRef?: JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderRef + + publishConnectionDetailsTo?: JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: JwtVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecForProvider: + r""" + jwt vault upbound io v1alpha1 auth backend spec for provider + + Attributes + ---------- + boundIssuer : str, default is Undefined, optional + The value against which to match the iss claim in a JWT The value against which to match the iss claim in a JWT + defaultRole : str, default is Undefined, optional + The default role to use if none is provided during login The default role to use if none is provided during login + description : str, default is Undefined, optional + The description of the auth backend The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + jwksCaPem : str, default is Undefined, optional + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. + jwksUrl : str, default is Undefined, optional + JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. + jwtSupportedAlgs : [str], default is Undefined, optional + A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ A list of supported signing algorithms. Defaults to [RS256] + jwtValidationPubkeys : [str], default is Undefined, optional + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. + local : bool, default is Undefined, optional + Specifies if the auth method is local only. Specifies if the auth method is local only + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + namespaceInState : bool, default is Undefined, optional + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. + oidcClientId : str, default is Undefined, optional + Client ID used for OIDC backends Client ID used for OIDC + oidcClientSecretSecretRef : JwtVaultUpboundIoV1alpha1AuthBackendSpecForProviderOidcClientSecretSecretRef, default is Undefined, optional + oidc client secret secret ref + oidcDiscoveryCaPem : str, default is Undefined, optional + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used + oidcDiscoveryUrl : str, default is Undefined, optional + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. + oidcResponseMode : str, default is Undefined, optional + The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. + oidcResponseTypes : [str], default is Undefined, optional + List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. + path : str, default is Undefined, optional + Path to mount the JWT/OIDC auth backend path to mount the backend + providerConfig : {str:str}, default is Undefined, optional + Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. Provider specific handling configuration + tune : [JwtVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0], default is Undefined, optional + tune + $type : str, default is Undefined, optional + Type of auth backend. Should be one of jwt or oidc. Default - jwt Type of backend. Can be either 'jwt' or 'oidc' + """ + + + boundIssuer?: str + + defaultRole?: str + + description?: str + + disableRemount?: bool + + jwksCaPem?: str + + jwksUrl?: str + + jwtSupportedAlgs?: [str] + + jwtValidationPubkeys?: [str] + + local?: bool + + namespace?: str + + namespaceInState?: bool + + oidcClientId?: str + + oidcClientSecretSecretRef?: JwtVaultUpboundIoV1alpha1AuthBackendSpecForProviderOidcClientSecretSecretRef + + oidcDiscoveryCaPem?: str + + oidcDiscoveryUrl?: str + + oidcResponseMode?: str + + oidcResponseTypes?: [str] + + path?: str + + providerConfig?: {str:str} + + tune?: [JwtVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0] + + $type?: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecForProviderOidcClientSecretSecretRef: + r""" + Client Secret used for OIDC backends Client Secret used for OIDC + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecForProviderTuneItems0: + r""" + jwt vault upbound io v1alpha1 auth backend spec for provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + List of headers to whitelist and allowing a plugin to include them in the response. + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtl : str, default is Undefined, optional + Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string + listingVisibility : str, default is Undefined, optional + Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden". + maxLeaseTtl : str, default is Undefined, optional + Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string + passthroughRequestHeaders : [str], default is Undefined, optional + List of headers to whitelist and pass from the request to the backend. + tokenType : str, default is Undefined, optional + Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch". + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + boundIssuer : str, default is Undefined, optional + The value against which to match the iss claim in a JWT The value against which to match the iss claim in a JWT + defaultRole : str, default is Undefined, optional + The default role to use if none is provided during login The default role to use if none is provided during login + description : str, default is Undefined, optional + The description of the auth backend The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + jwksCaPem : str, default is Undefined, optional + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. + jwksUrl : str, default is Undefined, optional + JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. + jwtSupportedAlgs : [str], default is Undefined, optional + A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ A list of supported signing algorithms. Defaults to [RS256] + jwtValidationPubkeys : [str], default is Undefined, optional + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. + local : bool, default is Undefined, optional + Specifies if the auth method is local only. Specifies if the auth method is local only + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + namespaceInState : bool, default is Undefined, optional + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. + oidcClientId : str, default is Undefined, optional + Client ID used for OIDC backends Client ID used for OIDC + oidcDiscoveryCaPem : str, default is Undefined, optional + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used + oidcDiscoveryUrl : str, default is Undefined, optional + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. + oidcResponseMode : str, default is Undefined, optional + The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. + oidcResponseTypes : [str], default is Undefined, optional + List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. + path : str, default is Undefined, optional + Path to mount the JWT/OIDC auth backend path to mount the backend + providerConfig : {str:str}, default is Undefined, optional + Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. Provider specific handling configuration + tune : [JwtVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0], default is Undefined, optional + tune + $type : str, default is Undefined, optional + Type of auth backend. Should be one of jwt or oidc. Default - jwt Type of backend. Can be either 'jwt' or 'oidc' + """ + + + boundIssuer?: str + + defaultRole?: str + + description?: str + + disableRemount?: bool + + jwksCaPem?: str + + jwksUrl?: str + + jwtSupportedAlgs?: [str] + + jwtValidationPubkeys?: [str] + + local?: bool + + namespace?: str + + namespaceInState?: bool + + oidcClientId?: str + + oidcDiscoveryCaPem?: str + + oidcDiscoveryUrl?: str + + oidcResponseMode?: str + + oidcResponseTypes?: [str] + + path?: str + + providerConfig?: {str:str} + + tune?: [JwtVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0] + + $type?: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecInitProviderTuneItems0: + r""" + jwt vault upbound io v1alpha1 auth backend spec init provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + List of headers to whitelist and allowing a plugin to include them in the response. + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtl : str, default is Undefined, optional + Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string + listingVisibility : str, default is Undefined, optional + Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden". + maxLeaseTtl : str, default is Undefined, optional + Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string + passthroughRequestHeaders : [str], default is Undefined, optional + List of headers to whitelist and pass from the request to the backend. + tokenType : str, default is Undefined, optional + Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch". + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendStatus: + r""" + AuthBackendStatus defines the observed state of AuthBackend. + + Attributes + ---------- + atProvider : JwtVaultUpboundIoV1alpha1AuthBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [JwtVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: JwtVaultUpboundIoV1alpha1AuthBackendStatusAtProvider + + conditions?: [JwtVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0] + + +schema JwtVaultUpboundIoV1alpha1AuthBackendStatusAtProvider: + r""" + jwt vault upbound io v1alpha1 auth backend status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The accessor for this auth method The accessor of the JWT auth backend + boundIssuer : str, default is Undefined, optional + The value against which to match the iss claim in a JWT The value against which to match the iss claim in a JWT + defaultRole : str, default is Undefined, optional + The default role to use if none is provided during login The default role to use if none is provided during login + description : str, default is Undefined, optional + The description of the auth backend The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + jwksCaPem : str, default is Undefined, optional + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. + jwksUrl : str, default is Undefined, optional + JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys". JWKS URL to use to authenticate signatures. Cannot be used with 'oidc_discovery_url' or 'jwt_validation_pubkeys'. + jwtSupportedAlgs : [str], default is Undefined, optional + A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ A list of supported signing algorithms. Defaults to [RS256] + jwtValidationPubkeys : [str], default is Undefined, optional + A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with 'jwks_url' or 'oidc_discovery_url'. + local : bool, default is Undefined, optional + Specifies if the auth method is local only. Specifies if the auth method is local only + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + namespaceInState : bool, default is Undefined, optional + Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. + oidcClientId : str, default is Undefined, optional + Client ID used for OIDC backends Client ID used for OIDC + oidcDiscoveryCaPem : str, default is Undefined, optional + The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used + oidcDiscoveryUrl : str, default is Undefined, optional + The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys The OIDC Discovery URL, without any .well-known component (base path). Cannot be used with 'jwks_url' or 'jwt_validation_pubkeys'. + oidcResponseMode : str, default is Undefined, optional + The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false. The response mode to be used in the OAuth2 request. Allowed values are 'query' and 'form_post'. Defaults to 'query'. If using Vault namespaces, and oidc_response_mode is 'form_post', then 'namespace_in_state' should be set to false. + oidcResponseTypes : [str], default is Undefined, optional + List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post. The response types to request. Allowed values are 'code' and 'id_token'. Defaults to 'code'. Note: 'id_token' may only be used if 'oidc_response_mode' is set to 'form_post'. + path : str, default is Undefined, optional + Path to mount the JWT/OIDC auth backend path to mount the backend + providerConfig : {str:str}, default is Undefined, optional + Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault. Provider specific handling configuration + tune : [JwtVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0], default is Undefined, optional + tune + $type : str, default is Undefined, optional + Type of auth backend. Should be one of jwt or oidc. Default - jwt Type of backend. Can be either 'jwt' or 'oidc' + """ + + + accessor?: str + + boundIssuer?: str + + defaultRole?: str + + description?: str + + disableRemount?: bool + + id?: str + + jwksCaPem?: str + + jwksUrl?: str + + jwtSupportedAlgs?: [str] + + jwtValidationPubkeys?: [str] + + local?: bool + + namespace?: str + + namespaceInState?: bool + + oidcClientId?: str + + oidcDiscoveryCaPem?: str + + oidcDiscoveryUrl?: str + + oidcResponseMode?: str + + oidcResponseTypes?: [str] + + path?: str + + providerConfig?: {str:str} + + tune?: [JwtVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0] + + $type?: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendStatusAtProviderTuneItems0: + r""" + jwt vault upbound io v1alpha1 auth backend status at provider tune items0 + + Attributes + ---------- + allowedResponseHeaders : [str], default is Undefined, optional + List of headers to whitelist and allowing a plugin to include them in the response. + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtl : str, default is Undefined, optional + Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string + listingVisibility : str, default is Undefined, optional + Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden". + maxLeaseTtl : str, default is Undefined, optional + Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string + passthroughRequestHeaders : [str], default is Undefined, optional + List of headers to whitelist and pass from the request to the backend. + tokenType : str, default is Undefined, optional + Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch". + """ + + + allowedResponseHeaders?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtl?: str + + listingVisibility?: str + + maxLeaseTtl?: str + + passthroughRequestHeaders?: [str] + + tokenType?: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/jwt/v1alpha1/jwt_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/jwt/v1alpha1/jwt_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..c0bb3490 --- /dev/null +++ b/crossplane-provider-vault/jwt/v1alpha1/jwt_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,679 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. Manages JWT/OIDC auth backend roles in Vault. + + Attributes + ---------- + apiVersion : str, default is "jwt.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : JwtVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "jwt.vault.upbound.io/v1alpha1" = "jwt.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: JwtVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + jwt vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + allowedRedirectUris : [str], default is Undefined, optional + The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles The list of allowed values for redirect_uri during OIDC logins. + backend : str, default is Undefined, optional + The unique name of the auth backend to configure. Defaults to jwt. Unique name of the auth backend to configure. + boundAudiences : [str], default is Undefined, optional + (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. Any match is sufficient. List of aud claims to match against. Any match is sufficient. + boundClaims : {str:str}, default is Undefined, optional + If set, a map of claims to values to match against. A claim's value must be a string, which may contain one value or multiple comma-separated values, e.g. "red" or "red,green,blue". Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + boundClaimsType : str, default is Undefined, optional + How to interpret values in the claims/values map (bound_claims): can be either string (exact match) or glob (wildcard match). Requires Vault 1.4.0 or above. How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + boundSubject : str, default is Undefined, optional + If set, requires that the sub claim matches this value. If set, requires that the sub claim matches this value. + claimMappings : {str:str}, default is Undefined, optional + If set, a map of claims (keys) to be copied to specified metadata fields (values). Map of claims (keys) to be copied to specified metadata fields (values). + clockSkewLeeway : float, default is Undefined, optional + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + disableBoundClaimsParsing : bool, default is Undefined, optional + Disable bound claim value parsing. Useful when values contain commas. + expirationLeeway : float, default is Undefined, optional + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + groupsClaim : str, default is Undefined, optional + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + maxAge : float, default is Undefined, optional + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated with the OIDC provider. Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + notBeforeLeeway : float, default is Undefined, optional + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + oidcScopes : [str], default is Undefined, optional + If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + roleType : str, default is Undefined, optional + Type of role, either "oidc" (default) or "jwt". Type of role, either "oidc" (default) or "jwt" + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + userClaim : str, default is Undefined, optional + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + userClaimJsonPointer : bool, default is Undefined, optional + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. Requires Vault 1.11+. Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + verboseOidcLogging : bool, default is Undefined, optional + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + """ + + + allowedRedirectUris?: [str] + + backend?: str + + boundAudiences?: [str] + + boundClaims?: {str:str} + + boundClaimsType?: str + + boundSubject?: str + + claimMappings?: {str:str} + + clockSkewLeeway?: float + + disableBoundClaimsParsing?: bool + + expirationLeeway?: float + + groupsClaim?: str + + maxAge?: float + + namespace?: str + + notBeforeLeeway?: float + + oidcScopes?: [str] + + roleName?: str + + roleType?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + userClaim?: str + + userClaimJsonPointer?: bool + + verboseOidcLogging?: bool + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedRedirectUris : [str], default is Undefined, optional + The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles The list of allowed values for redirect_uri during OIDC logins. + backend : str, default is Undefined, optional + The unique name of the auth backend to configure. Defaults to jwt. Unique name of the auth backend to configure. + boundAudiences : [str], default is Undefined, optional + (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. Any match is sufficient. List of aud claims to match against. Any match is sufficient. + boundClaims : {str:str}, default is Undefined, optional + If set, a map of claims to values to match against. A claim's value must be a string, which may contain one value or multiple comma-separated values, e.g. "red" or "red,green,blue". Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + boundClaimsType : str, default is Undefined, optional + How to interpret values in the claims/values map (bound_claims): can be either string (exact match) or glob (wildcard match). Requires Vault 1.4.0 or above. How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + boundSubject : str, default is Undefined, optional + If set, requires that the sub claim matches this value. If set, requires that the sub claim matches this value. + claimMappings : {str:str}, default is Undefined, optional + If set, a map of claims (keys) to be copied to specified metadata fields (values). Map of claims (keys) to be copied to specified metadata fields (values). + clockSkewLeeway : float, default is Undefined, optional + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + disableBoundClaimsParsing : bool, default is Undefined, optional + Disable bound claim value parsing. Useful when values contain commas. + expirationLeeway : float, default is Undefined, optional + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + groupsClaim : str, default is Undefined, optional + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + maxAge : float, default is Undefined, optional + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated with the OIDC provider. Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + notBeforeLeeway : float, default is Undefined, optional + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + oidcScopes : [str], default is Undefined, optional + If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + roleType : str, default is Undefined, optional + Type of role, either "oidc" (default) or "jwt". Type of role, either "oidc" (default) or "jwt" + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + userClaim : str, default is Undefined, optional + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + userClaimJsonPointer : bool, default is Undefined, optional + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. Requires Vault 1.11+. Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + verboseOidcLogging : bool, default is Undefined, optional + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + """ + + + allowedRedirectUris?: [str] + + backend?: str + + boundAudiences?: [str] + + boundClaims?: {str:str} + + boundClaimsType?: str + + boundSubject?: str + + claimMappings?: {str:str} + + clockSkewLeeway?: float + + disableBoundClaimsParsing?: bool + + expirationLeeway?: float + + groupsClaim?: str + + maxAge?: float + + namespace?: str + + notBeforeLeeway?: float + + oidcScopes?: [str] + + roleName?: str + + roleType?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + userClaim?: str + + userClaimJsonPointer?: bool + + verboseOidcLogging?: bool + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : JwtVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [JwtVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: JwtVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [JwtVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + jwt vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + allowedRedirectUris : [str], default is Undefined, optional + The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles The list of allowed values for redirect_uri during OIDC logins. + backend : str, default is Undefined, optional + The unique name of the auth backend to configure. Defaults to jwt. Unique name of the auth backend to configure. + boundAudiences : [str], default is Undefined, optional + (For "jwt" roles, at least one of bound_audiences, bound_subject, bound_claims or token_bound_cidrs is required. Optional for "oidc" roles.) List of aud claims to match against. Any match is sufficient. List of aud claims to match against. Any match is sufficient. + boundClaims : {str:str}, default is Undefined, optional + If set, a map of claims to values to match against. A claim's value must be a string, which may contain one value or multiple comma-separated values, e.g. "red" or "red,green,blue". Map of claims/values to match against. The expected value may be a single string or a comma-separated string list. + boundClaimsType : str, default is Undefined, optional + How to interpret values in the claims/values map (bound_claims): can be either string (exact match) or glob (wildcard match). Requires Vault 1.4.0 or above. How to interpret values in the claims/values map: can be either "string" (exact match) or "glob" (wildcard match). + boundSubject : str, default is Undefined, optional + If set, requires that the sub claim matches this value. If set, requires that the sub claim matches this value. + claimMappings : {str:str}, default is Undefined, optional + If set, a map of claims (keys) to be copied to specified metadata fields (values). Map of claims (keys) to be copied to specified metadata fields (values). + clockSkewLeeway : float, default is Undefined, optional + The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + disableBoundClaimsParsing : bool, default is Undefined, optional + Disable bound claim value parsing. Useful when values contain commas. + expirationLeeway : float, default is Undefined, optional + The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + groupsClaim : str, default is Undefined, optional + The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings. + id : str, default is Undefined, optional + id + maxAge : float, default is Undefined, optional + Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated with the OIDC provider. Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + notBeforeLeeway : float, default is Undefined, optional + The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles. The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with 'jwt' roles. + oidcScopes : [str], default is Undefined, optional + If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. List of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + roleType : str, default is Undefined, optional + Type of role, either "oidc" (default) or "jwt". Type of role, either "oidc" (default) or "jwt" + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + userClaim : str, default is Undefined, optional + The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. + userClaimJsonPointer : bool, default is Undefined, optional + Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. Requires Vault 1.11+. Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. + verboseOidcLogging : bool, default is Undefined, optional + Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses. + """ + + + allowedRedirectUris?: [str] + + backend?: str + + boundAudiences?: [str] + + boundClaims?: {str:str} + + boundClaimsType?: str + + boundSubject?: str + + claimMappings?: {str:str} + + clockSkewLeeway?: float + + disableBoundClaimsParsing?: bool + + expirationLeeway?: float + + groupsClaim?: str + + id?: str + + maxAge?: float + + namespace?: str + + notBeforeLeeway?: float + + oidcScopes?: [str] + + roleName?: str + + roleType?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + userClaim?: str + + userClaimJsonPointer?: bool + + verboseOidcLogging?: bool + + +schema JwtVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kcl.mod b/crossplane-provider-vault/kcl.mod new file mode 100644 index 00000000..68c10697 --- /dev/null +++ b/crossplane-provider-vault/kcl.mod @@ -0,0 +1,8 @@ +[package] +name = "crossplane-provider-vault" +version = "1.0.0" +description = "`crossplane-provider-vault` is the crossplane-provider-vault spec definition" + +[dependencies] +k8s = "1.28" + diff --git a/crossplane-provider-vault/kcl.mod.lock b/crossplane-provider-vault/kcl.mod.lock new file mode 100644 index 00000000..e9b8686e --- /dev/null +++ b/crossplane-provider-vault/kcl.mod.lock @@ -0,0 +1,5 @@ +[dependencies] + [dependencies.k8s] + name = "k8s" + full_name = "k8s_1.28" + version = "1.28" diff --git a/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..ca75e7e3 --- /dev/null +++ b/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,487 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Provision KMIP Secret backends in Vault. + + Attributes + ---------- + apiVersion : str, default is "kmip.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KmipVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : KmipVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "kmip.vault.upbound.io/v1alpha1" = "kmip.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: KmipVaultUpboundIoV1alpha1SecretBackendSpec + + status?: KmipVaultUpboundIoV1alpha1SecretBackendStatus + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KmipVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : KmipVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KmipVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KmipVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: KmipVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KmipVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + kmip vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + defaultTlsClientKeyBits : float, default is Undefined, optional + Client certificate key bits, valid values depend on key type. Client certificate key bits, valid values depend on key type + defaultTlsClientKeyType : str, default is Undefined, optional + Client certificate key type, rsa or ec. Client certificate key type, rsa or ec + defaultTlsClientTtl : float, default is Undefined, optional + Client certificate TTL in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + listenAddrs : [str], default is Undefined, optional + Addresses the KMIP server should listen on (host:port). Addresses the KMIP server should listen on (host:port) + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP secret backend will be mounted + serverHostnames : [str], default is Undefined, optional + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) + serverIps : [str], default is Undefined, optional + IPs to include in the server's TLS certificate as SAN IP addresses. IPs to include in the server's TLS certificate as SAN IP addresses + tlsCaKeyBits : float, default is Undefined, optional + CA key bits, valid values depend on key type. CA key bits, valid values depend on key type + tlsCaKeyType : str, default is Undefined, optional + CA key type, rsa or ec. CA key type, rsa or ec + tlsMinVersion : str, default is Undefined, optional + Minimum TLS version to accept. Minimum TLS version to accept + """ + + + defaultTlsClientKeyBits?: float + + defaultTlsClientKeyType?: str + + defaultTlsClientTtl?: float + + description?: str + + disableRemount?: bool + + listenAddrs?: [str] + + namespace?: str + + path?: str + + serverHostnames?: [str] + + serverIps?: [str] + + tlsCaKeyBits?: float + + tlsCaKeyType?: str + + tlsMinVersion?: str + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + defaultTlsClientKeyBits : float, default is Undefined, optional + Client certificate key bits, valid values depend on key type. Client certificate key bits, valid values depend on key type + defaultTlsClientKeyType : str, default is Undefined, optional + Client certificate key type, rsa or ec. Client certificate key type, rsa or ec + defaultTlsClientTtl : float, default is Undefined, optional + Client certificate TTL in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + listenAddrs : [str], default is Undefined, optional + Addresses the KMIP server should listen on (host:port). Addresses the KMIP server should listen on (host:port) + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP secret backend will be mounted + serverHostnames : [str], default is Undefined, optional + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) + serverIps : [str], default is Undefined, optional + IPs to include in the server's TLS certificate as SAN IP addresses. IPs to include in the server's TLS certificate as SAN IP addresses + tlsCaKeyBits : float, default is Undefined, optional + CA key bits, valid values depend on key type. CA key bits, valid values depend on key type + tlsCaKeyType : str, default is Undefined, optional + CA key type, rsa or ec. CA key type, rsa or ec + tlsMinVersion : str, default is Undefined, optional + Minimum TLS version to accept. Minimum TLS version to accept + """ + + + defaultTlsClientKeyBits?: float + + defaultTlsClientKeyType?: str + + defaultTlsClientTtl?: float + + description?: str + + disableRemount?: bool + + listenAddrs?: [str] + + namespace?: str + + path?: str + + serverHostnames?: [str] + + serverIps?: [str] + + tlsCaKeyBits?: float + + tlsCaKeyType?: str + + tlsMinVersion?: str + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KmipVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KmipVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : KmipVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [KmipVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KmipVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [KmipVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema KmipVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + kmip vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + defaultTlsClientKeyBits : float, default is Undefined, optional + Client certificate key bits, valid values depend on key type. Client certificate key bits, valid values depend on key type + defaultTlsClientKeyType : str, default is Undefined, optional + Client certificate key type, rsa or ec. Client certificate key type, rsa or ec + defaultTlsClientTtl : float, default is Undefined, optional + Client certificate TTL in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + listenAddrs : [str], default is Undefined, optional + Addresses the KMIP server should listen on (host:port). Addresses the KMIP server should listen on (host:port) + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP secret backend will be mounted + serverHostnames : [str], default is Undefined, optional + Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN). Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN) + serverIps : [str], default is Undefined, optional + IPs to include in the server's TLS certificate as SAN IP addresses. IPs to include in the server's TLS certificate as SAN IP addresses + tlsCaKeyBits : float, default is Undefined, optional + CA key bits, valid values depend on key type. CA key bits, valid values depend on key type + tlsCaKeyType : str, default is Undefined, optional + CA key type, rsa or ec. CA key type, rsa or ec + tlsMinVersion : str, default is Undefined, optional + Minimum TLS version to accept. Minimum TLS version to accept + """ + + + defaultTlsClientKeyBits?: float + + defaultTlsClientKeyType?: str + + defaultTlsClientTtl?: float + + description?: str + + disableRemount?: bool + + id?: str + + listenAddrs?: [str] + + namespace?: str + + path?: str + + serverHostnames?: [str] + + serverIps?: [str] + + tlsCaKeyBits?: float + + tlsCaKeyType?: str + + tlsMinVersion?: str + + +schema KmipVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_role.k b/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_role.k new file mode 100644 index 00000000..d61362ef --- /dev/null +++ b/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_role.k @@ -0,0 +1,583 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretRole: + r""" + SecretRole is the Schema for the SecretRoles API. Provision KMIP Secret roles in Vault. + + Attributes + ---------- + apiVersion : str, default is "kmip.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KmipVaultUpboundIoV1alpha1SecretRoleSpec, default is Undefined, required + spec + status : KmipVaultUpboundIoV1alpha1SecretRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "kmip.vault.upbound.io/v1alpha1" = "kmip.vault.upbound.io/v1alpha1" + + kind: "SecretRole" = "SecretRole" + + metadata?: v1.ObjectMeta + + spec: KmipVaultUpboundIoV1alpha1SecretRoleSpec + + status?: KmipVaultUpboundIoV1alpha1SecretRoleStatus + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpec: + r""" + SecretRoleSpec defines the desired state of SecretRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KmipVaultUpboundIoV1alpha1SecretRoleSpecForProvider, default is Undefined, required + for provider + initProvider : KmipVaultUpboundIoV1alpha1SecretRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KmipVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KmipVaultUpboundIoV1alpha1SecretRoleSpecForProvider + + initProvider?: KmipVaultUpboundIoV1alpha1SecretRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef + + providerRef?: KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderRef + + publishConnectionDetailsTo?: KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KmipVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecForProvider: + r""" + kmip vault upbound io v1alpha1 secret role spec for provider + + Attributes + ---------- + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + operationActivate : bool, default is Undefined, optional + Grant permission to use the KMIP Activate operation. Grant permission to use the KMIP Activate operation + operationAddAttribute : bool, default is Undefined, optional + Grant permission to use the KMIP Add Attribute operation. Grant permission to use the KMIP Add Attribute operation + operationAll : bool, default is Undefined, optional + Grant all permissions to this role. May not be specified with any other operation_* params. Grant all permissions to this role. May not be specified with any other operation_* params + operationCreate : bool, default is Undefined, optional + Grant permission to use the KMIP Create operation. Grant permission to use the KMIP Create operation + operationDestroy : bool, default is Undefined, optional + Grant permission to use the KMIP Destroy operation. Grant permission to use the KMIP Destroy operation + operationDiscoverVersions : bool, default is Undefined, optional + Grant permission to use the KMIP Discover Version operation. Grant permission to use the KMIP Discover Version operation + operationGet : bool, default is Undefined, optional + Grant permission to use the KMIP Get operation. Grant permission to use the KMIP Get operation + operationGetAttributeList : bool, default is Undefined, optional + Grant permission to use the KMIP Get Atrribute List operation. Grant permission to use the KMIP Get Attribute List operation + operationGetAttributes : bool, default is Undefined, optional + Grant permission to use the KMIP Get Atrributes operation. Grant permission to use the KMIP Get Attributes operation + operationLocate : bool, default is Undefined, optional + Grant permission to use the KMIP Get Locate operation. Grant permission to use the KMIP Locate operation + operationNone : bool, default is Undefined, optional + Remove all permissions from this role. May not be specified with any other operation_* params. Remove all permissions from this role. May not be specified with any other operation_* params + operationRegister : bool, default is Undefined, optional + Grant permission to use the KMIP Register operation. Grant permission to use the KMIP Register operation + operationRekey : bool, default is Undefined, optional + Grant permission to use the KMIP Rekey operation. Grant permission to use the KMIP Rekey operation + operationRevoke : bool, default is Undefined, optional + Grant permission to use the KMIP Revoke operation. Grant permission to use the KMIP Revoke operation + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP backend is mounted + role : str, default is Undefined, optional + Name of the role. Name of the role + scope : str, default is Undefined, optional + Name of the scope. Name of the scope + tlsClientKeyBits : float, default is Undefined, optional + Client certificate key bits, valid values depend on key type. Client certificate key bits, valid values depend on key type + tlsClientKeyType : str, default is Undefined, optional + Client certificate key type, rsa or ec. Client certificate key type, rsa or ec + tlsClientTtl : float, default is Undefined, optional + Client certificate TTL in seconds. Client certificate TTL in seconds + """ + + + namespace?: str + + operationActivate?: bool + + operationAddAttribute?: bool + + operationAll?: bool + + operationCreate?: bool + + operationDestroy?: bool + + operationDiscoverVersions?: bool + + operationGet?: bool + + operationGetAttributeList?: bool + + operationGetAttributes?: bool + + operationLocate?: bool + + operationNone?: bool + + operationRegister?: bool + + operationRekey?: bool + + operationRevoke?: bool + + path?: str + + role?: str + + scope?: str + + tlsClientKeyBits?: float + + tlsClientKeyType?: str + + tlsClientTtl?: float + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + operationActivate : bool, default is Undefined, optional + Grant permission to use the KMIP Activate operation. Grant permission to use the KMIP Activate operation + operationAddAttribute : bool, default is Undefined, optional + Grant permission to use the KMIP Add Attribute operation. Grant permission to use the KMIP Add Attribute operation + operationAll : bool, default is Undefined, optional + Grant all permissions to this role. May not be specified with any other operation_* params. Grant all permissions to this role. May not be specified with any other operation_* params + operationCreate : bool, default is Undefined, optional + Grant permission to use the KMIP Create operation. Grant permission to use the KMIP Create operation + operationDestroy : bool, default is Undefined, optional + Grant permission to use the KMIP Destroy operation. Grant permission to use the KMIP Destroy operation + operationDiscoverVersions : bool, default is Undefined, optional + Grant permission to use the KMIP Discover Version operation. Grant permission to use the KMIP Discover Version operation + operationGet : bool, default is Undefined, optional + Grant permission to use the KMIP Get operation. Grant permission to use the KMIP Get operation + operationGetAttributeList : bool, default is Undefined, optional + Grant permission to use the KMIP Get Atrribute List operation. Grant permission to use the KMIP Get Attribute List operation + operationGetAttributes : bool, default is Undefined, optional + Grant permission to use the KMIP Get Atrributes operation. Grant permission to use the KMIP Get Attributes operation + operationLocate : bool, default is Undefined, optional + Grant permission to use the KMIP Get Locate operation. Grant permission to use the KMIP Locate operation + operationNone : bool, default is Undefined, optional + Remove all permissions from this role. May not be specified with any other operation_* params. Remove all permissions from this role. May not be specified with any other operation_* params + operationRegister : bool, default is Undefined, optional + Grant permission to use the KMIP Register operation. Grant permission to use the KMIP Register operation + operationRekey : bool, default is Undefined, optional + Grant permission to use the KMIP Rekey operation. Grant permission to use the KMIP Rekey operation + operationRevoke : bool, default is Undefined, optional + Grant permission to use the KMIP Revoke operation. Grant permission to use the KMIP Revoke operation + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP backend is mounted + role : str, default is Undefined, optional + Name of the role. Name of the role + scope : str, default is Undefined, optional + Name of the scope. Name of the scope + tlsClientKeyBits : float, default is Undefined, optional + Client certificate key bits, valid values depend on key type. Client certificate key bits, valid values depend on key type + tlsClientKeyType : str, default is Undefined, optional + Client certificate key type, rsa or ec. Client certificate key type, rsa or ec + tlsClientTtl : float, default is Undefined, optional + Client certificate TTL in seconds. Client certificate TTL in seconds + """ + + + namespace?: str + + operationActivate?: bool + + operationAddAttribute?: bool + + operationAll?: bool + + operationCreate?: bool + + operationDestroy?: bool + + operationDiscoverVersions?: bool + + operationGet?: bool + + operationGetAttributeList?: bool + + operationGetAttributes?: bool + + operationLocate?: bool + + operationNone?: bool + + operationRegister?: bool + + operationRekey?: bool + + operationRevoke?: bool + + path?: str + + role?: str + + scope?: str + + tlsClientKeyBits?: float + + tlsClientKeyType?: str + + tlsClientTtl?: float + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KmipVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KmipVaultUpboundIoV1alpha1SecretRoleStatus: + r""" + SecretRoleStatus defines the observed state of SecretRole. + + Attributes + ---------- + atProvider : KmipVaultUpboundIoV1alpha1SecretRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [KmipVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KmipVaultUpboundIoV1alpha1SecretRoleStatusAtProvider + + conditions?: [KmipVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0] + + +schema KmipVaultUpboundIoV1alpha1SecretRoleStatusAtProvider: + r""" + kmip vault upbound io v1alpha1 secret role status at provider + + Attributes + ---------- + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + operationActivate : bool, default is Undefined, optional + Grant permission to use the KMIP Activate operation. Grant permission to use the KMIP Activate operation + operationAddAttribute : bool, default is Undefined, optional + Grant permission to use the KMIP Add Attribute operation. Grant permission to use the KMIP Add Attribute operation + operationAll : bool, default is Undefined, optional + Grant all permissions to this role. May not be specified with any other operation_* params. Grant all permissions to this role. May not be specified with any other operation_* params + operationCreate : bool, default is Undefined, optional + Grant permission to use the KMIP Create operation. Grant permission to use the KMIP Create operation + operationDestroy : bool, default is Undefined, optional + Grant permission to use the KMIP Destroy operation. Grant permission to use the KMIP Destroy operation + operationDiscoverVersions : bool, default is Undefined, optional + Grant permission to use the KMIP Discover Version operation. Grant permission to use the KMIP Discover Version operation + operationGet : bool, default is Undefined, optional + Grant permission to use the KMIP Get operation. Grant permission to use the KMIP Get operation + operationGetAttributeList : bool, default is Undefined, optional + Grant permission to use the KMIP Get Atrribute List operation. Grant permission to use the KMIP Get Attribute List operation + operationGetAttributes : bool, default is Undefined, optional + Grant permission to use the KMIP Get Atrributes operation. Grant permission to use the KMIP Get Attributes operation + operationLocate : bool, default is Undefined, optional + Grant permission to use the KMIP Get Locate operation. Grant permission to use the KMIP Locate operation + operationNone : bool, default is Undefined, optional + Remove all permissions from this role. May not be specified with any other operation_* params. Remove all permissions from this role. May not be specified with any other operation_* params + operationRegister : bool, default is Undefined, optional + Grant permission to use the KMIP Register operation. Grant permission to use the KMIP Register operation + operationRekey : bool, default is Undefined, optional + Grant permission to use the KMIP Rekey operation. Grant permission to use the KMIP Rekey operation + operationRevoke : bool, default is Undefined, optional + Grant permission to use the KMIP Revoke operation. Grant permission to use the KMIP Revoke operation + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP backend is mounted + role : str, default is Undefined, optional + Name of the role. Name of the role + scope : str, default is Undefined, optional + Name of the scope. Name of the scope + tlsClientKeyBits : float, default is Undefined, optional + Client certificate key bits, valid values depend on key type. Client certificate key bits, valid values depend on key type + tlsClientKeyType : str, default is Undefined, optional + Client certificate key type, rsa or ec. Client certificate key type, rsa or ec + tlsClientTtl : float, default is Undefined, optional + Client certificate TTL in seconds. Client certificate TTL in seconds + """ + + + id?: str + + namespace?: str + + operationActivate?: bool + + operationAddAttribute?: bool + + operationAll?: bool + + operationCreate?: bool + + operationDestroy?: bool + + operationDiscoverVersions?: bool + + operationGet?: bool + + operationGetAttributeList?: bool + + operationGetAttributes?: bool + + operationLocate?: bool + + operationNone?: bool + + operationRegister?: bool + + operationRekey?: bool + + operationRevoke?: bool + + path?: str + + role?: str + + scope?: str + + tlsClientKeyBits?: float + + tlsClientKeyType?: str + + tlsClientTtl?: float + + +schema KmipVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_scope.k b/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_scope.k new file mode 100644 index 00000000..dfa315c0 --- /dev/null +++ b/crossplane-provider-vault/kmip/v1alpha1/kmip_vault_upbound_io_v1alpha1_secret_scope.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretScope: + r""" + SecretScope is the Schema for the SecretScopes API. Provision KMIP Secret scopes in Vault. + + Attributes + ---------- + apiVersion : str, default is "kmip.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretScope", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KmipVaultUpboundIoV1alpha1SecretScopeSpec, default is Undefined, required + spec + status : KmipVaultUpboundIoV1alpha1SecretScopeStatus, default is Undefined, optional + status + """ + + + apiVersion: "kmip.vault.upbound.io/v1alpha1" = "kmip.vault.upbound.io/v1alpha1" + + kind: "SecretScope" = "SecretScope" + + metadata?: v1.ObjectMeta + + spec: KmipVaultUpboundIoV1alpha1SecretScopeSpec + + status?: KmipVaultUpboundIoV1alpha1SecretScopeStatus + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpec: + r""" + SecretScopeSpec defines the desired state of SecretScope + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KmipVaultUpboundIoV1alpha1SecretScopeSpecForProvider, default is Undefined, required + for provider + initProvider : KmipVaultUpboundIoV1alpha1SecretScopeSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KmipVaultUpboundIoV1alpha1SecretScopeSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KmipVaultUpboundIoV1alpha1SecretScopeSpecForProvider + + initProvider?: KmipVaultUpboundIoV1alpha1SecretScopeSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderConfigRef + + providerRef?: KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderRef + + publishConnectionDetailsTo?: KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KmipVaultUpboundIoV1alpha1SecretScopeSpecWriteConnectionSecretToRef + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecForProvider: + r""" + kmip vault upbound io v1alpha1 secret scope spec for provider + + Attributes + ---------- + force : bool, default is Undefined, optional + Boolean field to force deletion even if there are managed objects in the scope. Force deletion even if there are managed objects in the scope + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP backend is mounted + scope : str, default is Undefined, optional + Name of the scope. Name of the scope + """ + + + force?: bool + + namespace?: str + + path?: str + + scope?: str + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + force : bool, default is Undefined, optional + Boolean field to force deletion even if there are managed objects in the scope. Force deletion even if there are managed objects in the scope + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP backend is mounted + scope : str, default is Undefined, optional + Name of the scope. Name of the scope + """ + + + force?: bool + + namespace?: str + + path?: str + + scope?: str + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderConfigRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToConfigRef + + metadata?: KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToMetadata + + name: str + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToConfigRefPolicy + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KmipVaultUpboundIoV1alpha1SecretScopeSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KmipVaultUpboundIoV1alpha1SecretScopeStatus: + r""" + SecretScopeStatus defines the observed state of SecretScope. + + Attributes + ---------- + atProvider : KmipVaultUpboundIoV1alpha1SecretScopeStatusAtProvider, default is Undefined, optional + at provider + conditions : [KmipVaultUpboundIoV1alpha1SecretScopeStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KmipVaultUpboundIoV1alpha1SecretScopeStatusAtProvider + + conditions?: [KmipVaultUpboundIoV1alpha1SecretScopeStatusConditionsItems0] + + +schema KmipVaultUpboundIoV1alpha1SecretScopeStatusAtProvider: + r""" + kmip vault upbound io v1alpha1 secret scope status at provider + + Attributes + ---------- + force : bool, default is Undefined, optional + Boolean field to force deletion even if there are managed objects in the scope. Force deletion even if there are managed objects in the scope + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to kmip. Path where KMIP backend is mounted + scope : str, default is Undefined, optional + Name of the scope. Name of the scope + """ + + + force?: bool + + id?: str + + namespace?: str + + path?: str + + scope?: str + + +schema KmipVaultUpboundIoV1alpha1SecretScopeStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_auth_backend_config.k b/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_auth_backend_config.k new file mode 100644 index 00000000..1a6ee7d0 --- /dev/null +++ b/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_auth_backend_config.k @@ -0,0 +1,453 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendConfig: + r""" + AuthBackendConfig is the Schema for the AuthBackendConfigs API. Manages Kubernetes auth backend configs in Vault. + + Attributes + ---------- + apiVersion : str, default is "kubernetes.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendConfig", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpec, default is Undefined, required + spec + status : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatus, default is Undefined, optional + status + """ + + + apiVersion: "kubernetes.vault.upbound.io/v1alpha1" = "kubernetes.vault.upbound.io/v1alpha1" + + kind: "AuthBackendConfig" = "AuthBackendConfig" + + metadata?: v1.ObjectMeta + + spec: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpec + + status?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatus + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpec: + r""" + AuthBackendConfigSpec defines the desired state of AuthBackendConfig + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecForProvider, default is Undefined, required + for provider + initProvider : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecForProvider + + initProvider?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRef + + providerRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRef + + publishConnectionDetailsTo?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecWriteConnectionSecretToRef + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecForProvider: + r""" + kubernetes vault upbound io v1alpha1 auth backend config spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the kubernetes backend to configure. + disableIssValidation : bool, default is Undefined, optional + Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable JWT issuer validation. Allows to skip ISS validation. + disableLocalCaJwt : bool, default is Undefined, optional + Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. + issuer : str, default is Undefined, optional + JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. + kubernetesCaCert : str, default is Undefined, optional + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. + kubernetesHost : str, default is Undefined, optional + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pemKeys : [str], default is Undefined, optional + List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. + tokenReviewerJwtSecretRef : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderTokenReviewerJwtSecretRef, default is Undefined, optional + token reviewer jwt secret ref + """ + + + backend?: str + + disableIssValidation?: bool + + disableLocalCaJwt?: bool + + issuer?: str + + kubernetesCaCert?: str + + kubernetesHost?: str + + namespace?: str + + pemKeys?: [str] + + tokenReviewerJwtSecretRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderTokenReviewerJwtSecretRef + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecForProviderTokenReviewerJwtSecretRef: + r""" + A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the kubernetes backend to configure. + disableIssValidation : bool, default is Undefined, optional + Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable JWT issuer validation. Allows to skip ISS validation. + disableLocalCaJwt : bool, default is Undefined, optional + Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. + issuer : str, default is Undefined, optional + JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. + kubernetesCaCert : str, default is Undefined, optional + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. + kubernetesHost : str, default is Undefined, optional + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pemKeys : [str], default is Undefined, optional + List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. + """ + + + backend?: str + + disableIssValidation?: bool + + disableLocalCaJwt?: bool + + issuer?: str + + kubernetesCaCert?: str + + kubernetesHost?: str + + namespace?: str + + pemKeys?: [str] + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRef + + metadata?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToMetadata + + name: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatus: + r""" + AuthBackendConfigStatus defines the observed state of AuthBackendConfig. + + Attributes + ---------- + atProvider : KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatusAtProvider, default is Undefined, optional + at provider + conditions : [KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatusAtProvider + + conditions?: [KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatusConditionsItems0] + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatusAtProvider: + r""" + kubernetes vault upbound io v1alpha1 auth backend config status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Unique name of the kubernetes backend to configure. + disableIssValidation : bool, default is Undefined, optional + Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable JWT issuer validation. Allows to skip ISS validation. + disableLocalCaJwt : bool, default is Undefined, optional + Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+ Optional disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. + id : str, default is Undefined, optional + id + issuer : str, default is Undefined, optional + JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer. + kubernetesCaCert : str, default is Undefined, optional + PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. + kubernetesHost : str, default is Undefined, optional + Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pemKeys : [str], default is Undefined, optional + List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. + """ + + + backend?: str + + disableIssValidation?: bool + + disableLocalCaJwt?: bool + + id?: str + + issuer?: str + + kubernetesCaCert?: str + + kubernetesHost?: str + + namespace?: str + + pemKeys?: [str] + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendConfigStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..cffb68ef --- /dev/null +++ b/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,523 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Kubernetes auth backend roles in Vault. + + Attributes + ---------- + apiVersion : str, default is "kubernetes.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "kubernetes.vault.upbound.io/v1alpha1" = "kubernetes.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + kubernetes vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + aliasNameSource : str, default is Undefined, optional + Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name + audience : str, default is Undefined, optional + Audience claim to verify in the JWT. Optional Audience claim to verify in the JWT. + backend : str, default is Undefined, optional + Unique name of the kubernetes backend to configure. Unique name of the kubernetes backend to configure. + boundServiceAccountNames : [str], default is Undefined, optional + List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". + boundServiceAccountNamespaces : [str], default is Undefined, optional + List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleName : str, default is Undefined, optional + Name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + aliasNameSource?: str + + audience?: str + + backend?: str + + boundServiceAccountNames?: [str] + + boundServiceAccountNamespaces?: [str] + + namespace?: str + + roleName?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + aliasNameSource : str, default is Undefined, optional + Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name + audience : str, default is Undefined, optional + Audience claim to verify in the JWT. Optional Audience claim to verify in the JWT. + backend : str, default is Undefined, optional + Unique name of the kubernetes backend to configure. Unique name of the kubernetes backend to configure. + boundServiceAccountNames : [str], default is Undefined, optional + List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". + boundServiceAccountNamespaces : [str], default is Undefined, optional + List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleName : str, default is Undefined, optional + Name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + aliasNameSource?: str + + audience?: str + + backend?: str + + boundServiceAccountNames?: [str] + + boundServiceAccountNamespaces?: [str] + + namespace?: str + + roleName?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + kubernetes vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + aliasNameSource : str, default is Undefined, optional + Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name. (vault-1.9+) Configures how identity aliases are generated. Valid choices are: serviceaccount_uid, serviceaccount_name + audience : str, default is Undefined, optional + Audience claim to verify in the JWT. Optional Audience claim to verify in the JWT. + backend : str, default is Undefined, optional + Unique name of the kubernetes backend to configure. Unique name of the kubernetes backend to configure. + boundServiceAccountNames : [str], default is Undefined, optional + List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*". List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and bound_service_account_namespaces can not be "*". + boundServiceAccountNamespaces : [str], default is Undefined, optional + List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*". List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and bound_service_account_names can not be set to "*". + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + roleName : str, default is Undefined, optional + Name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values. Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + aliasNameSource?: str + + audience?: str + + backend?: str + + boundServiceAccountNames?: [str] + + boundServiceAccountNamespaces?: [str] + + id?: str + + namespace?: str + + roleName?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema KubernetesVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..a527176f --- /dev/null +++ b/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,541 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates a Kubernetes Secrets Engine in Vault. + + Attributes + ---------- + apiVersion : str, default is "kubernetes.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KubernetesVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : KubernetesVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "kubernetes.vault.upbound.io/v1alpha1" = "kubernetes.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: KubernetesVaultUpboundIoV1alpha1SecretBackendSpec + + status?: KubernetesVaultUpboundIoV1alpha1SecretBackendStatus + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + kubernetes vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + allowedManagedKeys : [str], default is Undefined, optional + List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount + disableLocalCaJwt : bool, default is Undefined, optional + Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod. Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod. + externalEntropyAccess : bool, default is Undefined, optional + Enable the secrets engine to access Vault's external entropy source + kubernetesCaCert : str, default is Undefined, optional + A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running. A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set. + kubernetesHost : str, default is Undefined, optional + The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on. The Kubernetes API URL to connect to. + local : bool, default is Undefined, optional + Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend + path : str, default is Undefined, optional + Where the secret backend will be mounted + sealWrap : bool, default is Undefined, optional + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + serviceAccountJwtSecretRef : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecForProviderServiceAccountJwtSecretRef, default is Undefined, optional + service account jwt secret ref + """ + + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtlSeconds?: float + + description?: str + + disableLocalCaJwt?: bool + + externalEntropyAccess?: bool + + kubernetesCaCert?: str + + kubernetesHost?: str + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + options?: {str:str} + + path?: str + + sealWrap?: bool + + serviceAccountJwtSecretRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecForProviderServiceAccountJwtSecretRef + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecForProviderServiceAccountJwtSecretRef: + r""" + The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes. The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if found. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedManagedKeys : [str], default is Undefined, optional + List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount + disableLocalCaJwt : bool, default is Undefined, optional + Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod. Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod. + externalEntropyAccess : bool, default is Undefined, optional + Enable the secrets engine to access Vault's external entropy source + kubernetesCaCert : str, default is Undefined, optional + A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running. A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set. + kubernetesHost : str, default is Undefined, optional + The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on. The Kubernetes API URL to connect to. + local : bool, default is Undefined, optional + Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend + path : str, default is Undefined, optional + Where the secret backend will be mounted + sealWrap : bool, default is Undefined, optional + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + """ + + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtlSeconds?: float + + description?: str + + disableLocalCaJwt?: bool + + externalEntropyAccess?: bool + + kubernetesCaCert?: str + + kubernetesHost?: str + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + options?: {str:str} + + path?: str + + sealWrap?: bool + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : KubernetesVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [KubernetesVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KubernetesVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [KubernetesVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + kubernetes vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + Accessor of the mount + allowedManagedKeys : [str], default is Undefined, optional + List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount + disableLocalCaJwt : bool, default is Undefined, optional + Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod. Disable defaulting to the local CA certificate and service account JWT when running in a Kubernetes pod. + externalEntropyAccess : bool, default is Undefined, optional + Enable the secrets engine to access Vault's external entropy source + id : str, default is Undefined, optional + id + kubernetesCaCert : str, default is Undefined, optional + A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running. A PEM-encoded CA certificate used by the secret engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if found, or otherwise the host's root CA set. + kubernetesHost : str, default is Undefined, optional + The Kubernetes API URL to connect to. Required if the standard pod environment variables KUBERNETES_SERVICE_HOST or KUBERNETES_SERVICE_PORT are not set on the host that Vault is running on. The Kubernetes API URL to connect to. + local : bool, default is Undefined, optional + Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend + path : str, default is Undefined, optional + Where the secret backend will be mounted + sealWrap : bool, default is Undefined, optional + Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + """ + + + accessor?: str + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtlSeconds?: float + + description?: str + + disableLocalCaJwt?: bool + + externalEntropyAccess?: bool + + id?: str + + kubernetesCaCert?: str + + kubernetesHost?: str + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + options?: {str:str} + + path?: str + + sealWrap?: bool + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_secret_backend_role.k b/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_secret_backend_role.k new file mode 100644 index 00000000..664ebfab --- /dev/null +++ b/crossplane-provider-vault/kubernetes/v1alpha1/kubernetes_vault_upbound_io_v1alpha1_secret_backend_role.k @@ -0,0 +1,487 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRole: + r""" + SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role for the Kubernetes Secrets Engine in Vault. + + Attributes + ---------- + apiVersion : str, default is "kubernetes.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpec, default is Undefined, required + spec + status : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "kubernetes.vault.upbound.io/v1alpha1" = "kubernetes.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRole" = "SecretBackendRole" + + metadata?: v1.ObjectMeta + + spec: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpec + + status?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatus + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpec: + r""" + SecretBackendRoleSpec defines the desired state of SecretBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider + + initProvider?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef + + providerRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider: + r""" + kubernetes vault upbound io v1alpha1 secret backend role spec for provider + + Attributes + ---------- + allowedKubernetesNamespaces : [str], default is Undefined, optional + The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + backend : str, default is Undefined, optional + The path of the Kubernetes Secrets Engine backend mount to create the role in. The mount path for the Kubernetes secrets engine. + extraAnnotations : {str:str}, default is Undefined, optional + Additional annotations to apply to all generated Kubernetes objects. Additional annotations to apply to all generated Kubernetes objects. + extraLabels : {str:str}, default is Undefined, optional + Additional labels to apply to all generated Kubernetes objects. Additional labels to apply to all generated Kubernetes objects. + generatedRoleRules : str, default is Undefined, optional + The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. + kubernetesRoleName : str, default is Undefined, optional + The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. + kubernetesRoleType : str, default is Undefined, optional + Specifies whether the Kubernetes role is a Role or ClusterRole. Specifies whether the Kubernetes role is a Role or ClusterRole. + name : str, default is Undefined, optional + The name of the role. The name of the role. + nameTemplate : str, default is Undefined, optional + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + serviceAccountName : str, default is Undefined, optional + The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested. The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested. + tokenDefaultTtl : float, default is Undefined, optional + The default TTL for generated Kubernetes tokens in seconds. The default TTL for generated Kubernetes tokens in seconds. + tokenMaxTtl : float, default is Undefined, optional + The maximum TTL for generated Kubernetes tokens in seconds. The maximum TTL for generated Kubernetes tokens in seconds. + """ + + + allowedKubernetesNamespaces?: [str] + + backend?: str + + extraAnnotations?: {str:str} + + extraLabels?: {str:str} + + generatedRoleRules?: str + + kubernetesRoleName?: str + + kubernetesRoleType?: str + + name?: str + + nameTemplate?: str + + namespace?: str + + serviceAccountName?: str + + tokenDefaultTtl?: float + + tokenMaxTtl?: float + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedKubernetesNamespaces : [str], default is Undefined, optional + The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + backend : str, default is Undefined, optional + The path of the Kubernetes Secrets Engine backend mount to create the role in. The mount path for the Kubernetes secrets engine. + extraAnnotations : {str:str}, default is Undefined, optional + Additional annotations to apply to all generated Kubernetes objects. Additional annotations to apply to all generated Kubernetes objects. + extraLabels : {str:str}, default is Undefined, optional + Additional labels to apply to all generated Kubernetes objects. Additional labels to apply to all generated Kubernetes objects. + generatedRoleRules : str, default is Undefined, optional + The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. + kubernetesRoleName : str, default is Undefined, optional + The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. + kubernetesRoleType : str, default is Undefined, optional + Specifies whether the Kubernetes role is a Role or ClusterRole. Specifies whether the Kubernetes role is a Role or ClusterRole. + name : str, default is Undefined, optional + The name of the role. The name of the role. + nameTemplate : str, default is Undefined, optional + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + serviceAccountName : str, default is Undefined, optional + The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested. The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested. + tokenDefaultTtl : float, default is Undefined, optional + The default TTL for generated Kubernetes tokens in seconds. The default TTL for generated Kubernetes tokens in seconds. + tokenMaxTtl : float, default is Undefined, optional + The maximum TTL for generated Kubernetes tokens in seconds. The maximum TTL for generated Kubernetes tokens in seconds. + """ + + + allowedKubernetesNamespaces?: [str] + + backend?: str + + extraAnnotations?: {str:str} + + extraLabels?: {str:str} + + generatedRoleRules?: str + + kubernetesRoleName?: str + + kubernetesRoleType?: str + + name?: str + + nameTemplate?: str + + namespace?: str + + serviceAccountName?: str + + tokenDefaultTtl?: float + + tokenMaxTtl?: float + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatus: + r""" + SecretBackendRoleStatus defines the observed state of SecretBackendRole. + + Attributes + ---------- + atProvider : KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider + + conditions?: [KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0] + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider: + r""" + kubernetes vault upbound io v1alpha1 secret backend role status at provider + + Attributes + ---------- + allowedKubernetesNamespaces : [str], default is Undefined, optional + The list of Kubernetes namespaces this role can generate credentials for. If set to * all namespaces are allowed. The list of Kubernetes namespaces this role can generate credentials for. If set to '*' all namespaces are allowed. + backend : str, default is Undefined, optional + The path of the Kubernetes Secrets Engine backend mount to create the role in. The mount path for the Kubernetes secrets engine. + extraAnnotations : {str:str}, default is Undefined, optional + Additional annotations to apply to all generated Kubernetes objects. Additional annotations to apply to all generated Kubernetes objects. + extraLabels : {str:str}, default is Undefined, optional + Additional labels to apply to all generated Kubernetes objects. Additional labels to apply to all generated Kubernetes objects. + generatedRoleRules : str, default is Undefined, optional + The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with service_account_name and kubernetes_role_name. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with 'service_account_name' and 'kubernetes_role_name'. If set, the entire chain of Kubernetes objects will be generated when credentials are requested. + id : str, default is Undefined, optional + id + kubernetesRoleName : str, default is Undefined, optional + The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with service_account_name and generated_role_rules. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with 'service_account_name' and 'generated_role_rules'. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested. + kubernetesRoleType : str, default is Undefined, optional + Specifies whether the Kubernetes role is a Role or ClusterRole. Specifies whether the Kubernetes role is a Role or ClusterRole. + name : str, default is Undefined, optional + The name of the role. The name of the role. + nameTemplate : str, default is Undefined, optional + The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + serviceAccountName : str, default is Undefined, optional + The pre-existing service account to generate tokens for. Mutually exclusive with kubernetes_role_name and generated_role_rules. If set, only a Kubernetes token will be created when credentials are requested. The pre-existing service account to generate tokens for. Mutually exclusive with 'kubernetes_role_name' and 'generated_role_rules'. If set, only a Kubernetes token will be created when credentials are requested. + tokenDefaultTtl : float, default is Undefined, optional + The default TTL for generated Kubernetes tokens in seconds. The default TTL for generated Kubernetes tokens in seconds. + tokenMaxTtl : float, default is Undefined, optional + The maximum TTL for generated Kubernetes tokens in seconds. The maximum TTL for generated Kubernetes tokens in seconds. + """ + + + allowedKubernetesNamespaces?: [str] + + backend?: str + + extraAnnotations?: {str:str} + + extraLabels?: {str:str} + + generatedRoleRules?: str + + id?: str + + kubernetesRoleName?: str + + kubernetesRoleType?: str + + name?: str + + nameTemplate?: str + + namespace?: str + + serviceAccountName?: str + + tokenDefaultTtl?: float + + tokenMaxTtl?: float + + +schema KubernetesVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret.k b/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret.k new file mode 100644 index 00000000..487d1b15 --- /dev/null +++ b/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret.k @@ -0,0 +1,381 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Secret: + r""" + Secret is the Schema for the Secrets API. Writes a KV-V1 secret to a given path in Vault + + Attributes + ---------- + apiVersion : str, default is "kv.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Secret", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KvVaultUpboundIoV1alpha1SecretSpec, default is Undefined, required + spec + status : KvVaultUpboundIoV1alpha1SecretStatus, default is Undefined, optional + status + """ + + + apiVersion: "kv.vault.upbound.io/v1alpha1" = "kv.vault.upbound.io/v1alpha1" + + kind: "Secret" = "Secret" + + metadata?: v1.ObjectMeta + + spec: KvVaultUpboundIoV1alpha1SecretSpec + + status?: KvVaultUpboundIoV1alpha1SecretStatus + + +schema KvVaultUpboundIoV1alpha1SecretSpec: + r""" + SecretSpec defines the desired state of Secret + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KvVaultUpboundIoV1alpha1SecretSpecForProvider, default is Undefined, required + for provider + initProvider : KvVaultUpboundIoV1alpha1SecretSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KvVaultUpboundIoV1alpha1SecretSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KvVaultUpboundIoV1alpha1SecretSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KvVaultUpboundIoV1alpha1SecretSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KvVaultUpboundIoV1alpha1SecretSpecForProvider + + initProvider?: KvVaultUpboundIoV1alpha1SecretSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KvVaultUpboundIoV1alpha1SecretSpecProviderConfigRef + + providerRef?: KvVaultUpboundIoV1alpha1SecretSpecProviderRef + + publishConnectionDetailsTo?: KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KvVaultUpboundIoV1alpha1SecretSpecWriteConnectionSecretToRef + + +schema KvVaultUpboundIoV1alpha1SecretSpecForProvider: + r""" + kv vault upbound io v1alpha1 secret spec for provider + + Attributes + ---------- + dataJsonSecretRef : KvVaultUpboundIoV1alpha1SecretSpecForProviderDataJSONSecretRef, default is Undefined, optional + data Json secret ref + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Full path of the KV-V1 secret. Full path of the KV-V1 secret. + """ + + + dataJsonSecretRef?: KvVaultUpboundIoV1alpha1SecretSpecForProviderDataJSONSecretRef + + namespace?: str + + path?: str + + +schema KvVaultUpboundIoV1alpha1SecretSpecForProviderDataJSONSecretRef: + r""" + JSON-encoded string that will be written as the secret data at the given path. JSON-encoded secret data to write. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema KvVaultUpboundIoV1alpha1SecretSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Full path of the KV-V1 secret. Full path of the KV-V1 secret. + """ + + + namespace?: str + + path?: str + + +schema KvVaultUpboundIoV1alpha1SecretSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretSpecProviderConfigRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretSpecProviderRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRef + + metadata?: KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToMetadata + + name: str + + +schema KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KvVaultUpboundIoV1alpha1SecretSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KvVaultUpboundIoV1alpha1SecretStatus: + r""" + SecretStatus defines the observed state of Secret. + + Attributes + ---------- + atProvider : KvVaultUpboundIoV1alpha1SecretStatusAtProvider, default is Undefined, optional + at provider + conditions : [KvVaultUpboundIoV1alpha1SecretStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KvVaultUpboundIoV1alpha1SecretStatusAtProvider + + conditions?: [KvVaultUpboundIoV1alpha1SecretStatusConditionsItems0] + + +schema KvVaultUpboundIoV1alpha1SecretStatusAtProvider: + r""" + kv vault upbound io v1alpha1 secret status at provider + + Attributes + ---------- + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Full path of the KV-V1 secret. Full path of the KV-V1 secret. + """ + + + id?: str + + namespace?: str + + path?: str + + +schema KvVaultUpboundIoV1alpha1SecretStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret_backend_v2.k b/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret_backend_v2.k new file mode 100644 index 00000000..16f9621f --- /dev/null +++ b/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret_backend_v2.k @@ -0,0 +1,391 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendV2: + r""" + SecretBackendV2 is the Schema for the SecretBackendV2s API. Configures KV-V2 backend level settings that are applied to every key in the key-value store. + + Attributes + ---------- + apiVersion : str, default is "kv.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendV2", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KvVaultUpboundIoV1alpha1SecretBackendV2Spec, default is Undefined, required + spec + status : KvVaultUpboundIoV1alpha1SecretBackendV2Status, default is Undefined, optional + status + """ + + + apiVersion: "kv.vault.upbound.io/v1alpha1" = "kv.vault.upbound.io/v1alpha1" + + kind: "SecretBackendV2" = "SecretBackendV2" + + metadata?: v1.ObjectMeta + + spec: KvVaultUpboundIoV1alpha1SecretBackendV2Spec + + status?: KvVaultUpboundIoV1alpha1SecretBackendV2Status + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2Spec: + r""" + SecretBackendV2Spec defines the desired state of SecretBackendV2 + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KvVaultUpboundIoV1alpha1SecretBackendV2SpecForProvider, default is Undefined, required + for provider + initProvider : KvVaultUpboundIoV1alpha1SecretBackendV2SpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KvVaultUpboundIoV1alpha1SecretBackendV2SpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KvVaultUpboundIoV1alpha1SecretBackendV2SpecForProvider + + initProvider?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderConfigRef + + providerRef?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderRef + + publishConnectionDetailsTo?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecWriteConnectionSecretToRef + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecForProvider: + r""" + kv vault upbound io v1alpha1 secret backend v2 spec for provider + + Attributes + ---------- + casRequired : bool, default is Undefined, optional + If true, all keys will require the cas parameter to be set on all write requests. If true, all keys will require the cas parameter to be set on all write requests. + deleteVersionAfter : float, default is Undefined, optional + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. If set, specifies the length of time before a version is deleted + maxVersions : float, default is Undefined, optional + The number of versions to keep per key. The number of versions to keep per key. + mount : str, default is Undefined, optional + Path where KV-V2 engine is mounted. Path where KV-V2 engine is mounted. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + casRequired?: bool + + deleteVersionAfter?: float + + maxVersions?: float + + mount?: str + + namespace?: str + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + casRequired : bool, default is Undefined, optional + If true, all keys will require the cas parameter to be set on all write requests. If true, all keys will require the cas parameter to be set on all write requests. + deleteVersionAfter : float, default is Undefined, optional + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. If set, specifies the length of time before a version is deleted + maxVersions : float, default is Undefined, optional + The number of versions to keep per key. The number of versions to keep per key. + mount : str, default is Undefined, optional + Path where KV-V2 engine is mounted. Path where KV-V2 engine is mounted. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + casRequired?: bool + + deleteVersionAfter?: float + + maxVersions?: float + + mount?: str + + namespace?: str + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderConfigRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToConfigRef + + metadata?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToMetadata + + name: str + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToConfigRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2SpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2Status: + r""" + SecretBackendV2Status defines the observed state of SecretBackendV2. + + Attributes + ---------- + atProvider : KvVaultUpboundIoV1alpha1SecretBackendV2StatusAtProvider, default is Undefined, optional + at provider + conditions : [KvVaultUpboundIoV1alpha1SecretBackendV2StatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KvVaultUpboundIoV1alpha1SecretBackendV2StatusAtProvider + + conditions?: [KvVaultUpboundIoV1alpha1SecretBackendV2StatusConditionsItems0] + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2StatusAtProvider: + r""" + kv vault upbound io v1alpha1 secret backend v2 status at provider + + Attributes + ---------- + casRequired : bool, default is Undefined, optional + If true, all keys will require the cas parameter to be set on all write requests. If true, all keys will require the cas parameter to be set on all write requests. + deleteVersionAfter : float, default is Undefined, optional + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. If set, specifies the length of time before a version is deleted + id : str, default is Undefined, optional + id + maxVersions : float, default is Undefined, optional + The number of versions to keep per key. The number of versions to keep per key. + mount : str, default is Undefined, optional + Path where KV-V2 engine is mounted. Path where KV-V2 engine is mounted. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + casRequired?: bool + + deleteVersionAfter?: float + + id?: str + + maxVersions?: float + + mount?: str + + namespace?: str + + +schema KvVaultUpboundIoV1alpha1SecretBackendV2StatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret_v2.k b/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret_v2.k new file mode 100644 index 00000000..5dcbc4b0 --- /dev/null +++ b/crossplane-provider-vault/kv/v1alpha1/kv_vault_upbound_io_v1alpha1_secret_v2.k @@ -0,0 +1,539 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretV2: + r""" + SecretV2 is the Schema for the SecretV2s API. Writes a KV-V2 secret to a given path in Vault + + Attributes + ---------- + apiVersion : str, default is "kv.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretV2", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : KvVaultUpboundIoV1alpha1SecretV2Spec, default is Undefined, required + spec + status : KvVaultUpboundIoV1alpha1SecretV2Status, default is Undefined, optional + status + """ + + + apiVersion: "kv.vault.upbound.io/v1alpha1" = "kv.vault.upbound.io/v1alpha1" + + kind: "SecretV2" = "SecretV2" + + metadata?: v1.ObjectMeta + + spec: KvVaultUpboundIoV1alpha1SecretV2Spec + + status?: KvVaultUpboundIoV1alpha1SecretV2Status + + +schema KvVaultUpboundIoV1alpha1SecretV2Spec: + r""" + SecretV2Spec defines the desired state of SecretV2 + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : KvVaultUpboundIoV1alpha1SecretV2SpecForProvider, default is Undefined, required + for provider + initProvider : KvVaultUpboundIoV1alpha1SecretV2SpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : KvVaultUpboundIoV1alpha1SecretV2SpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : KvVaultUpboundIoV1alpha1SecretV2SpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : KvVaultUpboundIoV1alpha1SecretV2SpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: KvVaultUpboundIoV1alpha1SecretV2SpecForProvider + + initProvider?: KvVaultUpboundIoV1alpha1SecretV2SpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: KvVaultUpboundIoV1alpha1SecretV2SpecProviderConfigRef + + providerRef?: KvVaultUpboundIoV1alpha1SecretV2SpecProviderRef + + publishConnectionDetailsTo?: KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: KvVaultUpboundIoV1alpha1SecretV2SpecWriteConnectionSecretToRef + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecForProvider: + r""" + kv vault upbound io v1alpha1 secret v2 spec for provider + + Attributes + ---------- + cas : float, default is Undefined, optional + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret. + customMetadata : [KvVaultUpboundIoV1alpha1SecretV2SpecForProviderCustomMetadataItems0], default is Undefined, optional + A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info. Custom metadata to be set for the secret. + dataJsonSecretRef : KvVaultUpboundIoV1alpha1SecretV2SpecForProviderDataJSONSecretRef, default is Undefined, optional + data Json secret ref + deleteAllVersions : bool, default is Undefined, optional + If set to true, permanently deletes all versions for the specified key. If set to true, permanently deletes all versions for the specified key. + disableRead : bool, default is Undefined, optional + If set to true, disables reading secret from Vault; note: drift won't be detected. If set to true, disables reading secret from Vault; note: drift won't be detected. + mount : str, default is Undefined, optional + Path where KV-V2 engine is mounted. Path where KV-V2 engine is mounted. + name : str, default is Undefined, optional + Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz. Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz' + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + An object that holds option settings. An object that holds option settings. + """ + + + cas?: float + + customMetadata?: [KvVaultUpboundIoV1alpha1SecretV2SpecForProviderCustomMetadataItems0] + + dataJsonSecretRef?: KvVaultUpboundIoV1alpha1SecretV2SpecForProviderDataJSONSecretRef + + deleteAllVersions?: bool + + disableRead?: bool + + mount?: str + + name?: str + + namespace?: str + + options?: {str:str} + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecForProviderCustomMetadataItems0: + r""" + kv vault upbound io v1alpha1 secret v2 spec for provider custom metadata items0 + + Attributes + ---------- + casRequired : bool, default is Undefined, optional + If true, all keys will require the cas parameter to be set on all write requests. If true, all keys will require the cas parameter to be set on all write requests. + data : {str:str}, default is Undefined, optional + A string to string map describing the secret. A map of arbitrary string to string valued user-provided metadata meant to describe the secret. + deleteVersionAfter : float, default is Undefined, optional + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. If set, specifies the length of time before a version is deleted. + maxVersions : float, default is Undefined, optional + The number of versions to keep per key. The number of versions to keep per key. + """ + + + casRequired?: bool + + data?: {str:str} + + deleteVersionAfter?: float + + maxVersions?: float + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecForProviderDataJSONSecretRef: + r""" + JSON-encoded string that will be written as the secret data at the given path. JSON-encoded secret data to write. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + cas : float, default is Undefined, optional + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret. + customMetadata : [KvVaultUpboundIoV1alpha1SecretV2SpecInitProviderCustomMetadataItems0], default is Undefined, optional + A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info. Custom metadata to be set for the secret. + deleteAllVersions : bool, default is Undefined, optional + If set to true, permanently deletes all versions for the specified key. If set to true, permanently deletes all versions for the specified key. + disableRead : bool, default is Undefined, optional + If set to true, disables reading secret from Vault; note: drift won't be detected. If set to true, disables reading secret from Vault; note: drift won't be detected. + mount : str, default is Undefined, optional + Path where KV-V2 engine is mounted. Path where KV-V2 engine is mounted. + name : str, default is Undefined, optional + Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz. Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz' + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + An object that holds option settings. An object that holds option settings. + """ + + + cas?: float + + customMetadata?: [KvVaultUpboundIoV1alpha1SecretV2SpecInitProviderCustomMetadataItems0] + + deleteAllVersions?: bool + + disableRead?: bool + + mount?: str + + name?: str + + namespace?: str + + options?: {str:str} + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecInitProviderCustomMetadataItems0: + r""" + kv vault upbound io v1alpha1 secret v2 spec init provider custom metadata items0 + + Attributes + ---------- + casRequired : bool, default is Undefined, optional + If true, all keys will require the cas parameter to be set on all write requests. If true, all keys will require the cas parameter to be set on all write requests. + data : {str:str}, default is Undefined, optional + A string to string map describing the secret. A map of arbitrary string to string valued user-provided metadata meant to describe the secret. + deleteVersionAfter : float, default is Undefined, optional + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. If set, specifies the length of time before a version is deleted. + maxVersions : float, default is Undefined, optional + The number of versions to keep per key. The number of versions to keep per key. + """ + + + casRequired?: bool + + data?: {str:str} + + deleteVersionAfter?: float + + maxVersions?: float + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretV2SpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretV2SpecProviderConfigRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretV2SpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretV2SpecProviderRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToConfigRef + + metadata?: KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToMetadata + + name: str + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToConfigRefPolicy + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema KvVaultUpboundIoV1alpha1SecretV2SpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema KvVaultUpboundIoV1alpha1SecretV2Status: + r""" + SecretV2Status defines the observed state of SecretV2. + + Attributes + ---------- + atProvider : KvVaultUpboundIoV1alpha1SecretV2StatusAtProvider, default is Undefined, optional + at provider + conditions : [KvVaultUpboundIoV1alpha1SecretV2StatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: KvVaultUpboundIoV1alpha1SecretV2StatusAtProvider + + conditions?: [KvVaultUpboundIoV1alpha1SecretV2StatusConditionsItems0] + + +schema KvVaultUpboundIoV1alpha1SecretV2StatusAtProvider: + r""" + kv vault upbound io v1alpha1 secret v2 status at provider + + Attributes + ---------- + cas : float, default is Undefined, optional + This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write operation to be successful, cas must be set to the current version of the secret. This flag is required if cas_required is set to true on either the secret or the engine's config. In order for a write to be successful, cas must be set to the current version of the secret. + customMetadata : [KvVaultUpboundIoV1alpha1SecretV2StatusAtProviderCustomMetadataItems0], default is Undefined, optional + A nested block that allows configuring metadata for the KV secret. Refer to the Configuration Options for more info. Custom metadata to be set for the secret. + deleteAllVersions : bool, default is Undefined, optional + If set to true, permanently deletes all versions for the specified key. If set to true, permanently deletes all versions for the specified key. + disableRead : bool, default is Undefined, optional + If set to true, disables reading secret from Vault; note: drift won't be detected. If set to true, disables reading secret from Vault; note: drift won't be detected. + id : str, default is Undefined, optional + id + metadata : {str:str}, default is Undefined, optional + Metadata associated with this secret read from Vault. Metadata associated with this secret read from Vault. + mount : str, default is Undefined, optional + Path where KV-V2 engine is mounted. Path where KV-V2 engine is mounted. + name : str, default is Undefined, optional + Full name of the secret. For a nested secret the name is the nested path excluding the mount and data prefix. For example, for a secret at kvv2/data/foo/bar/baz the name is foo/bar/baz. Full name of the secret. For a nested secret, the name is the nested path excluding the mount and data prefix. For example, for a secret at 'kvv2/data/foo/bar/baz', the name is 'foo/bar/baz' + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + An object that holds option settings. An object that holds option settings. + path : str, default is Undefined, optional + Full path where the KV-V2 secret will be written. Full path where the KV-V2 secret will be written. + """ + + + cas?: float + + customMetadata?: [KvVaultUpboundIoV1alpha1SecretV2StatusAtProviderCustomMetadataItems0] + + deleteAllVersions?: bool + + disableRead?: bool + + id?: str + + metadata?: {str:str} + + mount?: str + + name?: str + + namespace?: str + + options?: {str:str} + + path?: str + + +schema KvVaultUpboundIoV1alpha1SecretV2StatusAtProviderCustomMetadataItems0: + r""" + kv vault upbound io v1alpha1 secret v2 status at provider custom metadata items0 + + Attributes + ---------- + casRequired : bool, default is Undefined, optional + If true, all keys will require the cas parameter to be set on all write requests. If true, all keys will require the cas parameter to be set on all write requests. + data : {str:str}, default is Undefined, optional + A string to string map describing the secret. A map of arbitrary string to string valued user-provided metadata meant to describe the secret. + deleteVersionAfter : float, default is Undefined, optional + If set, specifies the length of time before a version is deleted. Accepts duration in integer seconds. If set, specifies the length of time before a version is deleted. + maxVersions : float, default is Undefined, optional + The number of versions to keep per key. The number of versions to keep per key. + """ + + + casRequired?: bool + + data?: {str:str} + + deleteVersionAfter?: float + + maxVersions?: float + + +schema KvVaultUpboundIoV1alpha1SecretV2StatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend.k b/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend.k new file mode 100644 index 00000000..25821d00 --- /dev/null +++ b/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend.k @@ -0,0 +1,807 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackend: + r""" + AuthBackend is the Schema for the AuthBackends API. + + Attributes + ---------- + apiVersion : str, default is "ldap.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : LdapVaultUpboundIoV1alpha1AuthBackendSpec, default is Undefined, required + spec + status : LdapVaultUpboundIoV1alpha1AuthBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "ldap.vault.upbound.io/v1alpha1" = "ldap.vault.upbound.io/v1alpha1" + + kind: "AuthBackend" = "AuthBackend" + + metadata?: v1.ObjectMeta + + spec: LdapVaultUpboundIoV1alpha1AuthBackendSpec + + status?: LdapVaultUpboundIoV1alpha1AuthBackendStatus + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpec: + r""" + AuthBackendSpec defines the desired state of AuthBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : LdapVaultUpboundIoV1alpha1AuthBackendSpecForProvider, default is Undefined, required + for provider + initProvider : LdapVaultUpboundIoV1alpha1AuthBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : LdapVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: LdapVaultUpboundIoV1alpha1AuthBackendSpecForProvider + + initProvider?: LdapVaultUpboundIoV1alpha1AuthBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef + + providerRef?: LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderRef + + publishConnectionDetailsTo?: LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: LdapVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecForProvider: + r""" + ldap vault upbound io v1alpha1 auth backend spec for provider + + Attributes + ---------- + binddn : str, default is Undefined, optional + binddn + bindpassSecretRef : LdapVaultUpboundIoV1alpha1AuthBackendSpecForProviderBindpassSecretRef, default is Undefined, optional + bindpass secret ref + caseSensitiveNames : bool, default is Undefined, optional + case sensitive names + certificate : str, default is Undefined, optional + certificate + clientTlsCert : str, default is Undefined, optional + client Tls cert + clientTlsKeySecretRef : LdapVaultUpboundIoV1alpha1AuthBackendSpecForProviderClientTLSKeySecretRef, default is Undefined, optional + client Tls key secret ref + denyNullBind : bool, default is Undefined, optional + deny null bind + description : str, default is Undefined, optional + description + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + discoverdn : bool, default is Undefined, optional + discoverdn + groupattr : str, default is Undefined, optional + groupattr + groupdn : str, default is Undefined, optional + groupdn + groupfilter : str, default is Undefined, optional + groupfilter + insecureTls : bool, default is Undefined, optional + insecure Tls + local : bool, default is Undefined, optional + Specifies if the auth method is local only + maxPageSize : float, default is Undefined, optional + max page size + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path + starttls : bool, default is Undefined, optional + starttls + tlsMaxVersion : str, default is Undefined, optional + tls max version + tlsMinVersion : str, default is Undefined, optional + tls min version + tokenBoundCidrs : [str], default is Undefined, optional + Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token to generate, service or batch + upndomain : str, default is Undefined, optional + upndomain + url : str, default is Undefined, optional + url + useTokenGroups : bool, default is Undefined, optional + use token groups + userattr : str, default is Undefined, optional + userattr + userdn : str, default is Undefined, optional + userdn + userfilter : str, default is Undefined, optional + userfilter + usernameAsAlias : bool, default is Undefined, optional + Force the auth method to use the username passed by the user as the alias name. + """ + + + binddn?: str + + bindpassSecretRef?: LdapVaultUpboundIoV1alpha1AuthBackendSpecForProviderBindpassSecretRef + + caseSensitiveNames?: bool + + certificate?: str + + clientTlsCert?: str + + clientTlsKeySecretRef?: LdapVaultUpboundIoV1alpha1AuthBackendSpecForProviderClientTLSKeySecretRef + + denyNullBind?: bool + + description?: str + + disableRemount?: bool + + discoverdn?: bool + + groupattr?: str + + groupdn?: str + + groupfilter?: str + + insecureTls?: bool + + local?: bool + + maxPageSize?: float + + namespace?: str + + path?: str + + starttls?: bool + + tlsMaxVersion?: str + + tlsMinVersion?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + upndomain?: str + + url?: str + + useTokenGroups?: bool + + userattr?: str + + userdn?: str + + userfilter?: str + + usernameAsAlias?: bool + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecForProviderBindpassSecretRef: + r""" + A SecretKeySelector is a reference to a secret key in an arbitrary namespace. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecForProviderClientTLSKeySecretRef: + r""" + A SecretKeySelector is a reference to a secret key in an arbitrary namespace. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + binddn : str, default is Undefined, optional + binddn + caseSensitiveNames : bool, default is Undefined, optional + case sensitive names + certificate : str, default is Undefined, optional + certificate + clientTlsCert : str, default is Undefined, optional + client Tls cert + denyNullBind : bool, default is Undefined, optional + deny null bind + description : str, default is Undefined, optional + description + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + discoverdn : bool, default is Undefined, optional + discoverdn + groupattr : str, default is Undefined, optional + groupattr + groupdn : str, default is Undefined, optional + groupdn + groupfilter : str, default is Undefined, optional + groupfilter + insecureTls : bool, default is Undefined, optional + insecure Tls + local : bool, default is Undefined, optional + Specifies if the auth method is local only + maxPageSize : float, default is Undefined, optional + max page size + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path + starttls : bool, default is Undefined, optional + starttls + tlsMaxVersion : str, default is Undefined, optional + tls max version + tlsMinVersion : str, default is Undefined, optional + tls min version + tokenBoundCidrs : [str], default is Undefined, optional + Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token to generate, service or batch + upndomain : str, default is Undefined, optional + upndomain + url : str, default is Undefined, optional + url + useTokenGroups : bool, default is Undefined, optional + use token groups + userattr : str, default is Undefined, optional + userattr + userdn : str, default is Undefined, optional + userdn + userfilter : str, default is Undefined, optional + userfilter + usernameAsAlias : bool, default is Undefined, optional + Force the auth method to use the username passed by the user as the alias name. + """ + + + binddn?: str + + caseSensitiveNames?: bool + + certificate?: str + + clientTlsCert?: str + + denyNullBind?: bool + + description?: str + + disableRemount?: bool + + discoverdn?: bool + + groupattr?: str + + groupdn?: str + + groupfilter?: str + + insecureTls?: bool + + local?: bool + + maxPageSize?: float + + namespace?: str + + path?: str + + starttls?: bool + + tlsMaxVersion?: str + + tlsMinVersion?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + upndomain?: str + + url?: str + + useTokenGroups?: bool + + userattr?: str + + userdn?: str + + userfilter?: str + + usernameAsAlias?: bool + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendStatus: + r""" + AuthBackendStatus defines the observed state of AuthBackend. + + Attributes + ---------- + atProvider : LdapVaultUpboundIoV1alpha1AuthBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [LdapVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: LdapVaultUpboundIoV1alpha1AuthBackendStatusAtProvider + + conditions?: [LdapVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0] + + +schema LdapVaultUpboundIoV1alpha1AuthBackendStatusAtProvider: + r""" + ldap vault upbound io v1alpha1 auth backend status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The accessor of the LDAP auth backend + binddn : str, default is Undefined, optional + binddn + caseSensitiveNames : bool, default is Undefined, optional + case sensitive names + certificate : str, default is Undefined, optional + certificate + clientTlsCert : str, default is Undefined, optional + client Tls cert + denyNullBind : bool, default is Undefined, optional + deny null bind + description : str, default is Undefined, optional + description + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + discoverdn : bool, default is Undefined, optional + discoverdn + groupattr : str, default is Undefined, optional + groupattr + groupdn : str, default is Undefined, optional + groupdn + groupfilter : str, default is Undefined, optional + groupfilter + id : str, default is Undefined, optional + id + insecureTls : bool, default is Undefined, optional + insecure Tls + local : bool, default is Undefined, optional + Specifies if the auth method is local only + maxPageSize : float, default is Undefined, optional + max page size + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + path + starttls : bool, default is Undefined, optional + starttls + tlsMaxVersion : str, default is Undefined, optional + tls max version + tlsMinVersion : str, default is Undefined, optional + tls min version + tokenBoundCidrs : [str], default is Undefined, optional + Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token to generate, service or batch + upndomain : str, default is Undefined, optional + upndomain + url : str, default is Undefined, optional + url + useTokenGroups : bool, default is Undefined, optional + use token groups + userattr : str, default is Undefined, optional + userattr + userdn : str, default is Undefined, optional + userdn + userfilter : str, default is Undefined, optional + userfilter + usernameAsAlias : bool, default is Undefined, optional + Force the auth method to use the username passed by the user as the alias name. + """ + + + accessor?: str + + binddn?: str + + caseSensitiveNames?: bool + + certificate?: str + + clientTlsCert?: str + + denyNullBind?: bool + + description?: str + + disableRemount?: bool + + discoverdn?: bool + + groupattr?: str + + groupdn?: str + + groupfilter?: str + + id?: str + + insecureTls?: bool + + local?: bool + + maxPageSize?: float + + namespace?: str + + path?: str + + starttls?: bool + + tlsMaxVersion?: str + + tlsMinVersion?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + upndomain?: str + + url?: str + + useTokenGroups?: bool + + userattr?: str + + userdn?: str + + userfilter?: str + + usernameAsAlias?: bool + + +schema LdapVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend_group.k b/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend_group.k new file mode 100644 index 00000000..492bdd53 --- /dev/null +++ b/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend_group.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendGroup: + r""" + AuthBackendGroup is the Schema for the AuthBackendGroups API. + + Attributes + ---------- + apiVersion : str, default is "ldap.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendGroup", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpec, default is Undefined, required + spec + status : LdapVaultUpboundIoV1alpha1AuthBackendGroupStatus, default is Undefined, optional + status + """ + + + apiVersion: "ldap.vault.upbound.io/v1alpha1" = "ldap.vault.upbound.io/v1alpha1" + + kind: "AuthBackendGroup" = "AuthBackendGroup" + + metadata?: v1.ObjectMeta + + spec: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpec + + status?: LdapVaultUpboundIoV1alpha1AuthBackendGroupStatus + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpec: + r""" + AuthBackendGroupSpec defines the desired state of AuthBackendGroup + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecForProvider, default is Undefined, required + for provider + initProvider : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecForProvider + + initProvider?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRef + + providerRef?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRef + + publishConnectionDetailsTo?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecWriteConnectionSecretToRef + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecForProvider: + r""" + ldap vault upbound io v1alpha1 auth backend group spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + backend + groupname : str, default is Undefined, optional + groupname + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + policies + """ + + + backend?: str + + groupname?: str + + namespace?: str + + policies?: [str] + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + backend + groupname : str, default is Undefined, optional + groupname + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + policies + """ + + + backend?: str + + groupname?: str + + namespace?: str + + policies?: [str] + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRef + + metadata?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToMetadata + + name: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupStatus: + r""" + AuthBackendGroupStatus defines the observed state of AuthBackendGroup. + + Attributes + ---------- + atProvider : LdapVaultUpboundIoV1alpha1AuthBackendGroupStatusAtProvider, default is Undefined, optional + at provider + conditions : [LdapVaultUpboundIoV1alpha1AuthBackendGroupStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: LdapVaultUpboundIoV1alpha1AuthBackendGroupStatusAtProvider + + conditions?: [LdapVaultUpboundIoV1alpha1AuthBackendGroupStatusConditionsItems0] + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupStatusAtProvider: + r""" + ldap vault upbound io v1alpha1 auth backend group status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + backend + groupname : str, default is Undefined, optional + groupname + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + policies + """ + + + backend?: str + + groupname?: str + + id?: str + + namespace?: str + + policies?: [str] + + +schema LdapVaultUpboundIoV1alpha1AuthBackendGroupStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend_user.k b/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend_user.k new file mode 100644 index 00000000..880a1171 --- /dev/null +++ b/crossplane-provider-vault/ldap/v1alpha1/ldap_vault_upbound_io_v1alpha1_auth_backend_user.k @@ -0,0 +1,391 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendUser: + r""" + AuthBackendUser is the Schema for the AuthBackendUsers API. + + Attributes + ---------- + apiVersion : str, default is "ldap.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendUser", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : LdapVaultUpboundIoV1alpha1AuthBackendUserSpec, default is Undefined, required + spec + status : LdapVaultUpboundIoV1alpha1AuthBackendUserStatus, default is Undefined, optional + status + """ + + + apiVersion: "ldap.vault.upbound.io/v1alpha1" = "ldap.vault.upbound.io/v1alpha1" + + kind: "AuthBackendUser" = "AuthBackendUser" + + metadata?: v1.ObjectMeta + + spec: LdapVaultUpboundIoV1alpha1AuthBackendUserSpec + + status?: LdapVaultUpboundIoV1alpha1AuthBackendUserStatus + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpec: + r""" + AuthBackendUserSpec defines the desired state of AuthBackendUser + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecForProvider, default is Undefined, required + for provider + initProvider : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecForProvider + + initProvider?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRef + + providerRef?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRef + + publishConnectionDetailsTo?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecWriteConnectionSecretToRef + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecForProvider: + r""" + ldap vault upbound io v1alpha1 auth backend user spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + backend + groups : [str], default is Undefined, optional + groups + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + policies + username : str, default is Undefined, optional + username + """ + + + backend?: str + + groups?: [str] + + namespace?: str + + policies?: [str] + + username?: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + backend + groups : [str], default is Undefined, optional + groups + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + policies + username : str, default is Undefined, optional + username + """ + + + backend?: str + + groups?: [str] + + namespace?: str + + policies?: [str] + + username?: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRef + + metadata?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToMetadata + + name: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRefPolicy + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserStatus: + r""" + AuthBackendUserStatus defines the observed state of AuthBackendUser. + + Attributes + ---------- + atProvider : LdapVaultUpboundIoV1alpha1AuthBackendUserStatusAtProvider, default is Undefined, optional + at provider + conditions : [LdapVaultUpboundIoV1alpha1AuthBackendUserStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: LdapVaultUpboundIoV1alpha1AuthBackendUserStatusAtProvider + + conditions?: [LdapVaultUpboundIoV1alpha1AuthBackendUserStatusConditionsItems0] + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserStatusAtProvider: + r""" + ldap vault upbound io v1alpha1 auth backend user status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + backend + groups : [str], default is Undefined, optional + groups + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + policies + username : str, default is Undefined, optional + username + """ + + + backend?: str + + groups?: [str] + + id?: str + + namespace?: str + + policies?: [str] + + username?: str + + +schema LdapVaultUpboundIoV1alpha1AuthBackendUserStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/managed/v1alpha1/managed_vault_upbound_io_v1alpha1_keys.k b/crossplane-provider-vault/managed/v1alpha1/managed_vault_upbound_io_v1alpha1_keys.k new file mode 100644 index 00000000..8137a991 --- /dev/null +++ b/crossplane-provider-vault/managed/v1alpha1/managed_vault_upbound_io_v1alpha1_keys.k @@ -0,0 +1,985 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Keys: + r""" + Keys is the Schema for the Keyss API. Configures Managed Keys in Vault + + Attributes + ---------- + apiVersion : str, default is "managed.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Keys", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : ManagedVaultUpboundIoV1alpha1KeysSpec, default is Undefined, required + spec + status : ManagedVaultUpboundIoV1alpha1KeysStatus, default is Undefined, optional + status + """ + + + apiVersion: "managed.vault.upbound.io/v1alpha1" = "managed.vault.upbound.io/v1alpha1" + + kind: "Keys" = "Keys" + + metadata?: v1.ObjectMeta + + spec: ManagedVaultUpboundIoV1alpha1KeysSpec + + status?: ManagedVaultUpboundIoV1alpha1KeysStatus + + +schema ManagedVaultUpboundIoV1alpha1KeysSpec: + r""" + KeysSpec defines the desired state of Keys + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : ManagedVaultUpboundIoV1alpha1KeysSpecForProvider, default is Undefined, required + for provider + initProvider : ManagedVaultUpboundIoV1alpha1KeysSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : ManagedVaultUpboundIoV1alpha1KeysSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : ManagedVaultUpboundIoV1alpha1KeysSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : ManagedVaultUpboundIoV1alpha1KeysSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: ManagedVaultUpboundIoV1alpha1KeysSpecForProvider + + initProvider?: ManagedVaultUpboundIoV1alpha1KeysSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: ManagedVaultUpboundIoV1alpha1KeysSpecProviderConfigRef + + providerRef?: ManagedVaultUpboundIoV1alpha1KeysSpecProviderRef + + publishConnectionDetailsTo?: ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: ManagedVaultUpboundIoV1alpha1KeysSpecWriteConnectionSecretToRef + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecForProvider: + r""" + managed vault upbound io v1alpha1 keys spec for provider + + Attributes + ---------- + aws : [ManagedVaultUpboundIoV1alpha1KeysSpecForProviderAwsItems0], default is Undefined, optional + Configuration block for AWS Managed Keys + azure : [ManagedVaultUpboundIoV1alpha1KeysSpecForProviderAzureItems0], default is Undefined, optional + Configuration block for Azure Managed Keys + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pkcs : [ManagedVaultUpboundIoV1alpha1KeysSpecForProviderPkcsItems0], default is Undefined, optional + Configuration block for PKCS Managed Keys + """ + + + aws?: [ManagedVaultUpboundIoV1alpha1KeysSpecForProviderAwsItems0] + + azure?: [ManagedVaultUpboundIoV1alpha1KeysSpecForProviderAzureItems0] + + namespace?: str + + pkcs?: [ManagedVaultUpboundIoV1alpha1KeysSpecForProviderPkcsItems0] + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecForProviderAwsItems0: + r""" + managed vault upbound io v1alpha1 keys spec for provider aws items0 + + Attributes + ---------- + accessKey : str, default is Undefined, optional + The AWS access key to use. The AWS access key to use + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + curve : str, default is Undefined, optional + The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true. The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true + endpoint : str, default is Undefined, optional + Used to specify a custom AWS endpoint. Used to specify a custom AWS endpoint + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' + keyType : str, default is Undefined, optional + The type of key to use. The type of key to use + kmsKey : str, default is Undefined, optional + An identifier for the key. An identifier for the key + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + region : str, default is Undefined, optional + The AWS region where the keys are stored (or will be stored). The AWS region where the keys are stored (or will be stored) + secretKey : str, default is Undefined, optional + The AWS access key to use. The AWS secret key to use + """ + + + accessKey?: str + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + curve?: str + + endpoint?: str + + keyBits?: str + + keyType?: str + + kmsKey?: str + + name?: str + + region?: str + + secretKey?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecForProviderAzureItems0: + r""" + managed vault upbound io v1alpha1 keys spec for provider azure items0 + + Attributes + ---------- + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + clientId : str, default is Undefined, optional + The client id for credentials to query the Azure APIs. The client id for credentials to query the Azure APIs + clientSecret : str, default is Undefined, optional + The client secret for credentials to query the Azure APIs. The client secret for credentials to query the Azure APIs + environment : str, default is Undefined, optional + The Azure Cloud environment API endpoints to use. The Azure Cloud environment API endpoints to use + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true + keyName : str, default is Undefined, optional + The Key Vault key to use for encryption and decryption. The Key Vault key to use for encryption and decryption + keyType : str, default is Undefined, optional + The type of key to use. The type of key to use + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + resource : str, default is Undefined, optional + The Azure Key Vault resource's DNS Suffix to connect to. The Azure Key Vault resource's DNS Suffix to connect to + tenantId : str, default is Undefined, optional + The tenant id for the Azure Active Directory organization. The tenant id for the Azure Active Directory organization + vaultName : str, default is Undefined, optional + The Key Vault vault to use for encryption and decryption. The Key Vault vault to use the encryption keys for encryption and decryption + """ + + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + clientId?: str + + clientSecret?: str + + environment?: str + + keyBits?: str + + keyName?: str + + keyType?: str + + name?: str + + resource?: str + + tenantId?: str + + vaultName?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecForProviderPkcsItems0: + r""" + managed vault upbound io v1alpha1 keys spec for provider pkcs items0 + + Attributes + ---------- + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + curve : str, default is Undefined, optional + The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true. Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true + forceRwSession : str, default is Undefined, optional + Force all operations to open up a read-write session to the HSM. Force all operations to open up a read-write session to the HSM + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true + keyId : str, default is Undefined, optional + The id of a PKCS#11 key to use. The id of a PKCS#11 key to use + keyLabel : str, default is Undefined, optional + The label of the key to use. The label of the key to use + library : str, default is Undefined, optional + The name of the kms_library stanza to use from Vault's config to lookup the local library path. The name of the kms_library stanza to use from Vault's config to lookup the local library path + mechanism : str, default is Undefined, optional + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + pin : str, default is Undefined, optional + The PIN for login. The PIN for login + slot : str, default is Undefined, optional + The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953). The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953') + tokenLabel : str, default is Undefined, optional + The slot token label to use. The slot token label to use + """ + + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + curve?: str + + forceRwSession?: str + + keyBits?: str + + keyId?: str + + keyLabel?: str + + library?: str + + mechanism?: str + + name?: str + + pin?: str + + slot?: str + + tokenLabel?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + aws : [ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderAwsItems0], default is Undefined, optional + Configuration block for AWS Managed Keys + azure : [ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderAzureItems0], default is Undefined, optional + Configuration block for Azure Managed Keys + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pkcs : [ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderPkcsItems0], default is Undefined, optional + Configuration block for PKCS Managed Keys + """ + + + aws?: [ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderAwsItems0] + + azure?: [ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderAzureItems0] + + namespace?: str + + pkcs?: [ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderPkcsItems0] + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderAwsItems0: + r""" + managed vault upbound io v1alpha1 keys spec init provider aws items0 + + Attributes + ---------- + accessKey : str, default is Undefined, optional + The AWS access key to use. The AWS access key to use + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + curve : str, default is Undefined, optional + The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true. The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true + endpoint : str, default is Undefined, optional + Used to specify a custom AWS endpoint. Used to specify a custom AWS endpoint + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' + keyType : str, default is Undefined, optional + The type of key to use. The type of key to use + kmsKey : str, default is Undefined, optional + An identifier for the key. An identifier for the key + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + region : str, default is Undefined, optional + The AWS region where the keys are stored (or will be stored). The AWS region where the keys are stored (or will be stored) + secretKey : str, default is Undefined, optional + The AWS access key to use. The AWS secret key to use + """ + + + accessKey?: str + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + curve?: str + + endpoint?: str + + keyBits?: str + + keyType?: str + + kmsKey?: str + + name?: str + + region?: str + + secretKey?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderAzureItems0: + r""" + managed vault upbound io v1alpha1 keys spec init provider azure items0 + + Attributes + ---------- + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + clientId : str, default is Undefined, optional + The client id for credentials to query the Azure APIs. The client id for credentials to query the Azure APIs + clientSecret : str, default is Undefined, optional + The client secret for credentials to query the Azure APIs. The client secret for credentials to query the Azure APIs + environment : str, default is Undefined, optional + The Azure Cloud environment API endpoints to use. The Azure Cloud environment API endpoints to use + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true + keyName : str, default is Undefined, optional + The Key Vault key to use for encryption and decryption. The Key Vault key to use for encryption and decryption + keyType : str, default is Undefined, optional + The type of key to use. The type of key to use + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + resource : str, default is Undefined, optional + The Azure Key Vault resource's DNS Suffix to connect to. The Azure Key Vault resource's DNS Suffix to connect to + tenantId : str, default is Undefined, optional + The tenant id for the Azure Active Directory organization. The tenant id for the Azure Active Directory organization + vaultName : str, default is Undefined, optional + The Key Vault vault to use for encryption and decryption. The Key Vault vault to use the encryption keys for encryption and decryption + """ + + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + clientId?: str + + clientSecret?: str + + environment?: str + + keyBits?: str + + keyName?: str + + keyType?: str + + name?: str + + resource?: str + + tenantId?: str + + vaultName?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecInitProviderPkcsItems0: + r""" + managed vault upbound io v1alpha1 keys spec init provider pkcs items0 + + Attributes + ---------- + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + curve : str, default is Undefined, optional + The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true. Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true + forceRwSession : str, default is Undefined, optional + Force all operations to open up a read-write session to the HSM. Force all operations to open up a read-write session to the HSM + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true + keyId : str, default is Undefined, optional + The id of a PKCS#11 key to use. The id of a PKCS#11 key to use + keyLabel : str, default is Undefined, optional + The label of the key to use. The label of the key to use + library : str, default is Undefined, optional + The name of the kms_library stanza to use from Vault's config to lookup the local library path. The name of the kms_library stanza to use from Vault's config to lookup the local library path + mechanism : str, default is Undefined, optional + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + pin : str, default is Undefined, optional + The PIN for login. The PIN for login + slot : str, default is Undefined, optional + The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953). The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953') + tokenLabel : str, default is Undefined, optional + The slot token label to use. The slot token label to use + """ + + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + curve?: str + + forceRwSession?: str + + keyBits?: str + + keyId?: str + + keyLabel?: str + + library?: str + + mechanism?: str + + name?: str + + pin?: str + + slot?: str + + tokenLabel?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ManagedVaultUpboundIoV1alpha1KeysSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ManagedVaultUpboundIoV1alpha1KeysSpecProviderConfigRefPolicy + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ManagedVaultUpboundIoV1alpha1KeysSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ManagedVaultUpboundIoV1alpha1KeysSpecProviderRefPolicy + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToConfigRef + + metadata?: ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToMetadata + + name: str + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToConfigRefPolicy + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema ManagedVaultUpboundIoV1alpha1KeysStatus: + r""" + KeysStatus defines the observed state of Keys. + + Attributes + ---------- + atProvider : ManagedVaultUpboundIoV1alpha1KeysStatusAtProvider, default is Undefined, optional + at provider + conditions : [ManagedVaultUpboundIoV1alpha1KeysStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: ManagedVaultUpboundIoV1alpha1KeysStatusAtProvider + + conditions?: [ManagedVaultUpboundIoV1alpha1KeysStatusConditionsItems0] + + +schema ManagedVaultUpboundIoV1alpha1KeysStatusAtProvider: + r""" + managed vault upbound io v1alpha1 keys status at provider + + Attributes + ---------- + aws : [ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderAwsItems0], default is Undefined, optional + Configuration block for AWS Managed Keys + azure : [ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderAzureItems0], default is Undefined, optional + Configuration block for Azure Managed Keys + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pkcs : [ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderPkcsItems0], default is Undefined, optional + Configuration block for PKCS Managed Keys + """ + + + aws?: [ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderAwsItems0] + + azure?: [ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderAzureItems0] + + id?: str + + namespace?: str + + pkcs?: [ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderPkcsItems0] + + +schema ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderAwsItems0: + r""" + managed vault upbound io v1alpha1 keys status at provider aws items0 + + Attributes + ---------- + accessKey : str, default is Undefined, optional + The AWS access key to use. The AWS access key to use + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + curve : str, default is Undefined, optional + The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true. The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true + endpoint : str, default is Undefined, optional + Used to specify a custom AWS endpoint. Used to specify a custom AWS endpoint + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' + keyType : str, default is Undefined, optional + The type of key to use. The type of key to use + kmsKey : str, default is Undefined, optional + An identifier for the key. An identifier for the key + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + region : str, default is Undefined, optional + The AWS region where the keys are stored (or will be stored). The AWS region where the keys are stored (or will be stored) + secretKey : str, default is Undefined, optional + The AWS access key to use. The AWS secret key to use + uuid : str, default is Undefined, optional + ID of the managed key read from Vault + """ + + + accessKey?: str + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + curve?: str + + endpoint?: str + + keyBits?: str + + keyType?: str + + kmsKey?: str + + name?: str + + region?: str + + secretKey?: str + + uuid?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderAzureItems0: + r""" + managed vault upbound io v1alpha1 keys status at provider azure items0 + + Attributes + ---------- + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + clientId : str, default is Undefined, optional + The client id for credentials to query the Azure APIs. The client id for credentials to query the Azure APIs + clientSecret : str, default is Undefined, optional + The client secret for credentials to query the Azure APIs. The client secret for credentials to query the Azure APIs + environment : str, default is Undefined, optional + The Azure Cloud environment API endpoints to use. The Azure Cloud environment API endpoints to use + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true + keyName : str, default is Undefined, optional + The Key Vault key to use for encryption and decryption. The Key Vault key to use for encryption and decryption + keyType : str, default is Undefined, optional + The type of key to use. The type of key to use + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + resource : str, default is Undefined, optional + The Azure Key Vault resource's DNS Suffix to connect to. The Azure Key Vault resource's DNS Suffix to connect to + tenantId : str, default is Undefined, optional + The tenant id for the Azure Active Directory organization. The tenant id for the Azure Active Directory organization + uuid : str, default is Undefined, optional + ID of the managed key read from Vault + vaultName : str, default is Undefined, optional + The Key Vault vault to use for encryption and decryption. The Key Vault vault to use the encryption keys for encryption and decryption + """ + + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + clientId?: str + + clientSecret?: str + + environment?: str + + keyBits?: str + + keyName?: str + + keyType?: str + + name?: str + + resource?: str + + tenantId?: str + + uuid?: str + + vaultName?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysStatusAtProviderPkcsItems0: + r""" + managed vault upbound io v1alpha1 keys status at provider pkcs items0 + + Attributes + ---------- + allowGenerateKey : bool, default is Undefined, optional + If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend + allowReplaceKey : bool, default is Undefined, optional + Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. + allowStoreKey : bool, default is Undefined, optional + Controls the ability for Vault to import a key to the configured backend, if false, those operations will be forbidden. Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden + anyMount : bool, default is Undefined, optional + If true, allows usage from any mount point within the namespace. Allow usage from any mount point within the namespace if 'true' + curve : str, default is Undefined, optional + The curve to use for an ECDSA key. Used when key_type is ECDSA. Required if allow_generate_key is true. Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true + forceRwSession : str, default is Undefined, optional + Force all operations to open up a read-write session to the HSM. Force all operations to open up a read-write session to the HSM + keyBits : str, default is Undefined, optional + The size in bits for an RSA key. Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true + keyId : str, default is Undefined, optional + The id of a PKCS#11 key to use. The id of a PKCS#11 key to use + keyLabel : str, default is Undefined, optional + The label of the key to use. The label of the key to use + library : str, default is Undefined, optional + The name of the kms_library stanza to use from Vault's config to lookup the local library path. The name of the kms_library stanza to use from Vault's config to lookup the local library path + mechanism : str, default is Undefined, optional + The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string. + name : str, default is Undefined, optional + A unique lowercase name that serves as identifying the key. A unique lowercase name that serves as identifying the key + pin : str, default is Undefined, optional + The PIN for login. The PIN for login + slot : str, default is Undefined, optional + The slot number to use, specified as a string in a decimal format (e.g. 2305843009213693953). The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953') + tokenLabel : str, default is Undefined, optional + The slot token label to use. The slot token label to use + uuid : str, default is Undefined, optional + ID of the managed key read from Vault + """ + + + allowGenerateKey?: bool + + allowReplaceKey?: bool + + allowStoreKey?: bool + + anyMount?: bool + + curve?: str + + forceRwSession?: str + + keyBits?: str + + keyId?: str + + keyLabel?: str + + library?: str + + mechanism?: str + + name?: str + + pin?: str + + slot?: str + + tokenLabel?: str + + uuid?: str + + +schema ManagedVaultUpboundIoV1alpha1KeysStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_duo.k b/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_duo.k new file mode 100644 index 00000000..39c6c0f3 --- /dev/null +++ b/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_duo.k @@ -0,0 +1,455 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Duo: + r""" + Duo is the Schema for the Duos API. Managing the MFA Duo method configuration + + Attributes + ---------- + apiVersion : str, default is "mfa.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Duo", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : MfaVaultUpboundIoV1alpha1DuoSpec, default is Undefined, required + spec + status : MfaVaultUpboundIoV1alpha1DuoStatus, default is Undefined, optional + status + """ + + + apiVersion: "mfa.vault.upbound.io/v1alpha1" = "mfa.vault.upbound.io/v1alpha1" + + kind: "Duo" = "Duo" + + metadata?: v1.ObjectMeta + + spec: MfaVaultUpboundIoV1alpha1DuoSpec + + status?: MfaVaultUpboundIoV1alpha1DuoStatus + + +schema MfaVaultUpboundIoV1alpha1DuoSpec: + r""" + DuoSpec defines the desired state of Duo + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : MfaVaultUpboundIoV1alpha1DuoSpecForProvider, default is Undefined, required + for provider + initProvider : MfaVaultUpboundIoV1alpha1DuoSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : MfaVaultUpboundIoV1alpha1DuoSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : MfaVaultUpboundIoV1alpha1DuoSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : MfaVaultUpboundIoV1alpha1DuoSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: MfaVaultUpboundIoV1alpha1DuoSpecForProvider + + initProvider?: MfaVaultUpboundIoV1alpha1DuoSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: MfaVaultUpboundIoV1alpha1DuoSpecProviderConfigRef + + providerRef?: MfaVaultUpboundIoV1alpha1DuoSpecProviderRef + + publishConnectionDetailsTo?: MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: MfaVaultUpboundIoV1alpha1DuoSpecWriteConnectionSecretToRef + + +schema MfaVaultUpboundIoV1alpha1DuoSpecForProvider: + r""" + mfa vault upbound io v1alpha1 duo spec for provider + + Attributes + ---------- + apiHostname : str, default is Undefined, optional + API hostname for Duo. API hostname for Duo. + integrationKeySecretRef : MfaVaultUpboundIoV1alpha1DuoSpecForProviderIntegrationKeySecretRef, default is Undefined, optional + integration key secret ref + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pushInfo : str, default is Undefined, optional + Push information for Duo. Push information for Duo. + secretKeySecretRef : MfaVaultUpboundIoV1alpha1DuoSpecForProviderSecretKeySecretRef, default is Undefined, optional + secret key secret ref + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + apiHostname?: str + + integrationKeySecretRef?: MfaVaultUpboundIoV1alpha1DuoSpecForProviderIntegrationKeySecretRef + + mountAccessor?: str + + name?: str + + namespace?: str + + pushInfo?: str + + secretKeySecretRef?: MfaVaultUpboundIoV1alpha1DuoSpecForProviderSecretKeySecretRef + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1DuoSpecForProviderIntegrationKeySecretRef: + r""" + Integration key for Duo. Integration key for Duo. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema MfaVaultUpboundIoV1alpha1DuoSpecForProviderSecretKeySecretRef: + r""" + Secret key for Duo. Secret key for Duo. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema MfaVaultUpboundIoV1alpha1DuoSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + apiHostname : str, default is Undefined, optional + API hostname for Duo. API hostname for Duo. + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pushInfo : str, default is Undefined, optional + Push information for Duo. Push information for Duo. + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + apiHostname?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + pushInfo?: str + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1DuoSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1DuoSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1DuoSpecProviderConfigRefPolicy + + +schema MfaVaultUpboundIoV1alpha1DuoSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1DuoSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1DuoSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1DuoSpecProviderRefPolicy + + +schema MfaVaultUpboundIoV1alpha1DuoSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToConfigRef + + metadata?: MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToMetadata + + name: str + + +schema MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToConfigRefPolicy + + +schema MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1DuoSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema MfaVaultUpboundIoV1alpha1DuoSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema MfaVaultUpboundIoV1alpha1DuoStatus: + r""" + DuoStatus defines the observed state of Duo. + + Attributes + ---------- + atProvider : MfaVaultUpboundIoV1alpha1DuoStatusAtProvider, default is Undefined, optional + at provider + conditions : [MfaVaultUpboundIoV1alpha1DuoStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: MfaVaultUpboundIoV1alpha1DuoStatusAtProvider + + conditions?: [MfaVaultUpboundIoV1alpha1DuoStatusConditionsItems0] + + +schema MfaVaultUpboundIoV1alpha1DuoStatusAtProvider: + r""" + mfa vault upbound io v1alpha1 duo status at provider + + Attributes + ---------- + apiHostname : str, default is Undefined, optional + API hostname for Duo. API hostname for Duo. + id : str, default is Undefined, optional + id + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pushInfo : str, default is Undefined, optional + Push information for Duo. Push information for Duo. + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + apiHostname?: str + + id?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + pushInfo?: str + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1DuoStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_okta.k b/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_okta.k new file mode 100644 index 00000000..64da8893 --- /dev/null +++ b/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_okta.k @@ -0,0 +1,441 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Okta: + r""" + Okta is the Schema for the Oktas API. Managing the MFA Okta method configuration + + Attributes + ---------- + apiVersion : str, default is "mfa.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Okta", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : MfaVaultUpboundIoV1alpha1OktaSpec, default is Undefined, required + spec + status : MfaVaultUpboundIoV1alpha1OktaStatus, default is Undefined, optional + status + """ + + + apiVersion: "mfa.vault.upbound.io/v1alpha1" = "mfa.vault.upbound.io/v1alpha1" + + kind: "Okta" = "Okta" + + metadata?: v1.ObjectMeta + + spec: MfaVaultUpboundIoV1alpha1OktaSpec + + status?: MfaVaultUpboundIoV1alpha1OktaStatus + + +schema MfaVaultUpboundIoV1alpha1OktaSpec: + r""" + OktaSpec defines the desired state of Okta + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : MfaVaultUpboundIoV1alpha1OktaSpecForProvider, default is Undefined, required + for provider + initProvider : MfaVaultUpboundIoV1alpha1OktaSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : MfaVaultUpboundIoV1alpha1OktaSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : MfaVaultUpboundIoV1alpha1OktaSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : MfaVaultUpboundIoV1alpha1OktaSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: MfaVaultUpboundIoV1alpha1OktaSpecForProvider + + initProvider?: MfaVaultUpboundIoV1alpha1OktaSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: MfaVaultUpboundIoV1alpha1OktaSpecProviderConfigRef + + providerRef?: MfaVaultUpboundIoV1alpha1OktaSpecProviderRef + + publishConnectionDetailsTo?: MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: MfaVaultUpboundIoV1alpha1OktaSpecWriteConnectionSecretToRef + + +schema MfaVaultUpboundIoV1alpha1OktaSpecForProvider: + r""" + mfa vault upbound io v1alpha1 okta spec for provider + + Attributes + ---------- + apiTokenSecretRef : MfaVaultUpboundIoV1alpha1OktaSpecForProviderAPITokenSecretRef, default is Undefined, optional + api token secret ref + baseUrl : str, default is Undefined, optional + If set, will be used as the base domain for API requests. Examples are okta.com, oktapreview.com, and okta-emea.com. If set, will be used as the base domain for API requests. + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + orgName : str, default is Undefined, optional + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. + primaryEmail : bool, default is Undefined, optional + If set to true, the username will only match the primary email for the account. If set to true, the username will only match the primary email for the account. + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + apiTokenSecretRef?: MfaVaultUpboundIoV1alpha1OktaSpecForProviderAPITokenSecretRef + + baseUrl?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + orgName?: str + + primaryEmail?: bool + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1OktaSpecForProviderAPITokenSecretRef: + r""" + Okta API key. Okta API key. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema MfaVaultUpboundIoV1alpha1OktaSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + baseUrl : str, default is Undefined, optional + If set, will be used as the base domain for API requests. Examples are okta.com, oktapreview.com, and okta-emea.com. If set, will be used as the base domain for API requests. + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + orgName : str, default is Undefined, optional + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. + primaryEmail : bool, default is Undefined, optional + If set to true, the username will only match the primary email for the account. If set to true, the username will only match the primary email for the account. + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + baseUrl?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + orgName?: str + + primaryEmail?: bool + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1OktaSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1OktaSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1OktaSpecProviderConfigRefPolicy + + +schema MfaVaultUpboundIoV1alpha1OktaSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1OktaSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1OktaSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1OktaSpecProviderRefPolicy + + +schema MfaVaultUpboundIoV1alpha1OktaSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToConfigRef + + metadata?: MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToMetadata + + name: str + + +schema MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToConfigRefPolicy + + +schema MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1OktaSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema MfaVaultUpboundIoV1alpha1OktaSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema MfaVaultUpboundIoV1alpha1OktaStatus: + r""" + OktaStatus defines the observed state of Okta. + + Attributes + ---------- + atProvider : MfaVaultUpboundIoV1alpha1OktaStatusAtProvider, default is Undefined, optional + at provider + conditions : [MfaVaultUpboundIoV1alpha1OktaStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: MfaVaultUpboundIoV1alpha1OktaStatusAtProvider + + conditions?: [MfaVaultUpboundIoV1alpha1OktaStatusConditionsItems0] + + +schema MfaVaultUpboundIoV1alpha1OktaStatusAtProvider: + r""" + mfa vault upbound io v1alpha1 okta status at provider + + Attributes + ---------- + baseUrl : str, default is Undefined, optional + If set, will be used as the base domain for API requests. Examples are okta.com, oktapreview.com, and okta-emea.com. If set, will be used as the base domain for API requests. + id : str, default is Undefined, optional + id + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + orgName : str, default is Undefined, optional + Name of the organization to be used in the Okta API. Name of the organization to be used in the Okta API. + primaryEmail : bool, default is Undefined, optional + If set to true, the username will only match the primary email for the account. If set to true, the username will only match the primary email for the account. + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + baseUrl?: str + + id?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + orgName?: str + + primaryEmail?: bool + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1OktaStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_pingid.k b/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_pingid.k new file mode 100644 index 00000000..8e957bfe --- /dev/null +++ b/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_pingid.k @@ -0,0 +1,419 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Pingid: + r""" + Pingid is the Schema for the Pingids API. Managing the MFA PingID method configuration + + Attributes + ---------- + apiVersion : str, default is "mfa.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Pingid", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : MfaVaultUpboundIoV1alpha1PingidSpec, default is Undefined, required + spec + status : MfaVaultUpboundIoV1alpha1PingidStatus, default is Undefined, optional + status + """ + + + apiVersion: "mfa.vault.upbound.io/v1alpha1" = "mfa.vault.upbound.io/v1alpha1" + + kind: "Pingid" = "Pingid" + + metadata?: v1.ObjectMeta + + spec: MfaVaultUpboundIoV1alpha1PingidSpec + + status?: MfaVaultUpboundIoV1alpha1PingidStatus + + +schema MfaVaultUpboundIoV1alpha1PingidSpec: + r""" + PingidSpec defines the desired state of Pingid + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : MfaVaultUpboundIoV1alpha1PingidSpecForProvider, default is Undefined, required + for provider + initProvider : MfaVaultUpboundIoV1alpha1PingidSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : MfaVaultUpboundIoV1alpha1PingidSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : MfaVaultUpboundIoV1alpha1PingidSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : MfaVaultUpboundIoV1alpha1PingidSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: MfaVaultUpboundIoV1alpha1PingidSpecForProvider + + initProvider?: MfaVaultUpboundIoV1alpha1PingidSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: MfaVaultUpboundIoV1alpha1PingidSpecProviderConfigRef + + providerRef?: MfaVaultUpboundIoV1alpha1PingidSpecProviderRef + + publishConnectionDetailsTo?: MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: MfaVaultUpboundIoV1alpha1PingidSpecWriteConnectionSecretToRef + + +schema MfaVaultUpboundIoV1alpha1PingidSpecForProvider: + r""" + mfa vault upbound io v1alpha1 pingid spec for provider + + Attributes + ---------- + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + settingsFileBase64 : str, default is Undefined, optional + A base64-encoded third-party settings file retrieved from PingID's configuration page. A base64-encoded third-party settings file retrieved from PingID's configuration page. + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + mountAccessor?: str + + name?: str + + namespace?: str + + settingsFileBase64?: str + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1PingidSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + settingsFileBase64 : str, default is Undefined, optional + A base64-encoded third-party settings file retrieved from PingID's configuration page. A base64-encoded third-party settings file retrieved from PingID's configuration page. + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + mountAccessor?: str + + name?: str + + namespace?: str + + settingsFileBase64?: str + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1PingidSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1PingidSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1PingidSpecProviderConfigRefPolicy + + +schema MfaVaultUpboundIoV1alpha1PingidSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1PingidSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1PingidSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1PingidSpecProviderRefPolicy + + +schema MfaVaultUpboundIoV1alpha1PingidSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToConfigRef + + metadata?: MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToMetadata + + name: str + + +schema MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToConfigRefPolicy + + +schema MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1PingidSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema MfaVaultUpboundIoV1alpha1PingidSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema MfaVaultUpboundIoV1alpha1PingidStatus: + r""" + PingidStatus defines the observed state of Pingid. + + Attributes + ---------- + atProvider : MfaVaultUpboundIoV1alpha1PingidStatusAtProvider, default is Undefined, optional + at provider + conditions : [MfaVaultUpboundIoV1alpha1PingidStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: MfaVaultUpboundIoV1alpha1PingidStatusAtProvider + + conditions?: [MfaVaultUpboundIoV1alpha1PingidStatusConditionsItems0] + + +schema MfaVaultUpboundIoV1alpha1PingidStatusAtProvider: + r""" + mfa vault upbound io v1alpha1 pingid status at provider + + Attributes + ---------- + adminUrl : str, default is Undefined, optional + (string) – Admin URL computed by Vault Admin URL computed by Vault. + authenticatorUrl : str, default is Undefined, optional + (string) – Authenticator URL computed by Vault Authenticator URL computed by Vault. + id : str, default is Undefined, optional + (string) – ID computed by Vault + idpUrl : str, default is Undefined, optional + (string) – IDP URL computed by Vault IDP URL computed by Vault. + mountAccessor : str, default is Undefined, optional + The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + namespaceId : str, default is Undefined, optional + (string) – Namespace ID computed by Vault Namespace ID computed by Vault. + orgAlias : str, default is Undefined, optional + (string) – Org Alias computed by Vault Org Alias computed by Vault. + settingsFileBase64 : str, default is Undefined, optional + A base64-encoded third-party settings file retrieved from PingID's configuration page. A base64-encoded third-party settings file retrieved from PingID's configuration page. + $type : str, default is Undefined, optional + (string) – Type of configuration computed by Vault Type of configuration computed by Vault. + useSignature : bool, default is Undefined, optional + (string) – If set to true, enables use of PingID signature. Computed by Vault If set, enables use of PingID signature. Computed by Vault + usernameFormat : str, default is Undefined, optional + A format string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{alias.name}}@example.com". If blank, the Alias's Name field will be used as-is. Currently-supported mappings: A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. + """ + + + adminUrl?: str + + authenticatorUrl?: str + + id?: str + + idpUrl?: str + + mountAccessor?: str + + name?: str + + namespace?: str + + namespaceId?: str + + orgAlias?: str + + settingsFileBase64?: str + + $type?: str + + useSignature?: bool + + usernameFormat?: str + + +schema MfaVaultUpboundIoV1alpha1PingidStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_totp.k b/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_totp.k new file mode 100644 index 00000000..c61a5001 --- /dev/null +++ b/crossplane-provider-vault/mfa/v1alpha1/mfa_vault_upbound_io_v1alpha1_totp.k @@ -0,0 +1,439 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Totp: + r""" + Totp is the Schema for the Totps API. Managing the MFA TOTP method configuration + + Attributes + ---------- + apiVersion : str, default is "mfa.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Totp", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : MfaVaultUpboundIoV1alpha1TotpSpec, default is Undefined, required + spec + status : MfaVaultUpboundIoV1alpha1TotpStatus, default is Undefined, optional + status + """ + + + apiVersion: "mfa.vault.upbound.io/v1alpha1" = "mfa.vault.upbound.io/v1alpha1" + + kind: "Totp" = "Totp" + + metadata?: v1.ObjectMeta + + spec: MfaVaultUpboundIoV1alpha1TotpSpec + + status?: MfaVaultUpboundIoV1alpha1TotpStatus + + +schema MfaVaultUpboundIoV1alpha1TotpSpec: + r""" + TotpSpec defines the desired state of Totp + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : MfaVaultUpboundIoV1alpha1TotpSpecForProvider, default is Undefined, required + for provider + initProvider : MfaVaultUpboundIoV1alpha1TotpSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : MfaVaultUpboundIoV1alpha1TotpSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : MfaVaultUpboundIoV1alpha1TotpSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : MfaVaultUpboundIoV1alpha1TotpSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: MfaVaultUpboundIoV1alpha1TotpSpecForProvider + + initProvider?: MfaVaultUpboundIoV1alpha1TotpSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: MfaVaultUpboundIoV1alpha1TotpSpecProviderConfigRef + + providerRef?: MfaVaultUpboundIoV1alpha1TotpSpecProviderRef + + publishConnectionDetailsTo?: MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: MfaVaultUpboundIoV1alpha1TotpSpecWriteConnectionSecretToRef + + +schema MfaVaultUpboundIoV1alpha1TotpSpecForProvider: + r""" + mfa vault upbound io v1alpha1 totp spec for provider + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'. + digits : float, default is Undefined, optional + The number of digits in the generated TOTP token. This value can either be 6 or 8. The number of digits in the generated TOTP token. This value can either be 6 or 8. + issuer : str, default is Undefined, optional + The name of the key's issuing organization. The name of the key's issuing organization. + keySize : float, default is Undefined, optional + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + period : float, default is Undefined, optional + The length of time used to generate a counter for the TOTP token calculation. The length of time used to generate a counter for the TOTP token calculation. + qrSize : float, default is Undefined, optional + The pixel size of the generated square QR code. The pixel size of the generated square QR code. + skew : float, default is Undefined, optional + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + """ + + + algorithm?: str + + digits?: float + + issuer?: str + + keySize?: float + + name?: str + + namespace?: str + + period?: float + + qrSize?: float + + skew?: float + + +schema MfaVaultUpboundIoV1alpha1TotpSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'. + digits : float, default is Undefined, optional + The number of digits in the generated TOTP token. This value can either be 6 or 8. The number of digits in the generated TOTP token. This value can either be 6 or 8. + issuer : str, default is Undefined, optional + The name of the key's issuing organization. The name of the key's issuing organization. + keySize : float, default is Undefined, optional + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + period : float, default is Undefined, optional + The length of time used to generate a counter for the TOTP token calculation. The length of time used to generate a counter for the TOTP token calculation. + qrSize : float, default is Undefined, optional + The pixel size of the generated square QR code. The pixel size of the generated square QR code. + skew : float, default is Undefined, optional + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + """ + + + algorithm?: str + + digits?: float + + issuer?: str + + keySize?: float + + name?: str + + namespace?: str + + period?: float + + qrSize?: float + + skew?: float + + +schema MfaVaultUpboundIoV1alpha1TotpSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1TotpSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1TotpSpecProviderConfigRefPolicy + + +schema MfaVaultUpboundIoV1alpha1TotpSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1TotpSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1TotpSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1TotpSpecProviderRefPolicy + + +schema MfaVaultUpboundIoV1alpha1TotpSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToConfigRef + + metadata?: MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToMetadata + + name: str + + +schema MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToConfigRefPolicy + + +schema MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MfaVaultUpboundIoV1alpha1TotpSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema MfaVaultUpboundIoV1alpha1TotpSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema MfaVaultUpboundIoV1alpha1TotpStatus: + r""" + TotpStatus defines the observed state of Totp. + + Attributes + ---------- + atProvider : MfaVaultUpboundIoV1alpha1TotpStatusAtProvider, default is Undefined, optional + at provider + conditions : [MfaVaultUpboundIoV1alpha1TotpStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: MfaVaultUpboundIoV1alpha1TotpStatusAtProvider + + conditions?: [MfaVaultUpboundIoV1alpha1TotpStatusConditionsItems0] + + +schema MfaVaultUpboundIoV1alpha1TotpStatusAtProvider: + r""" + mfa vault upbound io v1alpha1 totp status at provider + + Attributes + ---------- + algorithm : str, default is Undefined, optional + Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256 and SHA512 Specifies the hashing algorithm used to generate the TOTP code. Options include 'SHA1', 'SHA256' and 'SHA512'. + digits : float, default is Undefined, optional + The number of digits in the generated TOTP token. This value can either be 6 or 8. The number of digits in the generated TOTP token. This value can either be 6 or 8. + id : str, default is Undefined, optional + id + issuer : str, default is Undefined, optional + The name of the key's issuing organization. The name of the key's issuing organization. + keySize : float, default is Undefined, optional + Specifies the size in bytes of the generated key. Specifies the size in bytes of the generated key. + name : str, default is Undefined, optional + (string: ) – Name of the MFA method. Name of the MFA method. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + period : float, default is Undefined, optional + The length of time used to generate a counter for the TOTP token calculation. The length of time used to generate a counter for the TOTP token calculation. + qrSize : float, default is Undefined, optional + The pixel size of the generated square QR code. The pixel size of the generated square QR code. + skew : float, default is Undefined, optional + The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. + """ + + + algorithm?: str + + digits?: float + + id?: str + + issuer?: str + + keySize?: float + + name?: str + + namespace?: str + + period?: float + + qrSize?: float + + skew?: float + + +schema MfaVaultUpboundIoV1alpha1TotpStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/mongodbatlas/v1alpha1/mongodbatlas_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/mongodbatlas/v1alpha1/mongodbatlas_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..602a4cf8 --- /dev/null +++ b/crossplane-provider-vault/mongodbatlas/v1alpha1/mongodbatlas_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,383 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates a MongoDB Atlas secret backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "mongodbatlas.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "mongodbatlas.vault.upbound.io/v1alpha1" = "mongodbatlas.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpec + + status?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatus + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + mongodbatlas vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + mount : str, default is Undefined, optional + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + privateKey : str, default is Undefined, optional + Specifies the Private API Key used to authenticate with the MongoDB Atlas API. The Private Programmatic API Key used to connect with MongoDB Atlas API + publicKey : str, default is Undefined, optional + Specifies the Public API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API + """ + + + mount?: str + + namespace?: str + + privateKey?: str + + publicKey?: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + mount : str, default is Undefined, optional + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + privateKey : str, default is Undefined, optional + Specifies the Private API Key used to authenticate with the MongoDB Atlas API. The Private Programmatic API Key used to connect with MongoDB Atlas API + publicKey : str, default is Undefined, optional + Specifies the Public API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API + """ + + + mount?: str + + namespace?: str + + privateKey?: str + + publicKey?: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + mongodbatlas vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + id : str, default is Undefined, optional + id + mount : str, default is Undefined, optional + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path where MongoDB Atlas configuration is located + privateKey : str, default is Undefined, optional + Specifies the Private API Key used to authenticate with the MongoDB Atlas API. The Private Programmatic API Key used to connect with MongoDB Atlas API + publicKey : str, default is Undefined, optional + Specifies the Public API Key used to authenticate with the MongoDB Atlas API. The Public Programmatic API Key used to authenticate with the MongoDB Atlas API + """ + + + id?: str + + mount?: str + + namespace?: str + + path?: str + + privateKey?: str + + publicKey?: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/mongodbatlas/v1alpha1/mongodbatlas_vault_upbound_io_v1alpha1_secret_role.k b/crossplane-provider-vault/mongodbatlas/v1alpha1/mongodbatlas_vault_upbound_io_v1alpha1_secret_role.k new file mode 100644 index 00000000..f1bf437b --- /dev/null +++ b/crossplane-provider-vault/mongodbatlas/v1alpha1/mongodbatlas_vault_upbound_io_v1alpha1_secret_role.k @@ -0,0 +1,463 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretRole: + r""" + SecretRole is the Schema for the SecretRoles API. Creates a role for the MongoDB Atlas Secret Engine in Vault. + + Attributes + ---------- + apiVersion : str, default is "mongodbatlas.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpec, default is Undefined, required + spec + status : MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "mongodbatlas.vault.upbound.io/v1alpha1" = "mongodbatlas.vault.upbound.io/v1alpha1" + + kind: "SecretRole" = "SecretRole" + + metadata?: v1.ObjectMeta + + spec: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpec + + status?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatus + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpec: + r""" + SecretRoleSpec defines the desired state of SecretRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecForProvider, default is Undefined, required + for provider + initProvider : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecForProvider + + initProvider?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef + + providerRef?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderRef + + publishConnectionDetailsTo?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecForProvider: + r""" + mongodbatlas vault upbound io v1alpha1 secret role spec for provider + + Attributes + ---------- + cidrBlocks : [str], default is Undefined, optional + Whitelist entry in CIDR notation to be added for the API key. Whitelist entry in CIDR notation to be added for the API key + ipAddresses : [str], default is Undefined, optional + IP address to be added to the whitelist for the API key. IP address to be added to the whitelist for the API key + maxTtl : str, default is Undefined, optional + The maximum allowed lifetime of credentials issued using this role. The maximum allowed lifetime of credentials issued using this role + mount : str, default is Undefined, optional + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted + name : str, default is Undefined, optional + The name of the role. Name of the role + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organizationId : str, default is Undefined, optional + Unique identifier for the organization to which the target API Key belongs. Required if project_id is not set. ID for the organization to which the target API Key belongs + projectId : str, default is Undefined, optional + Unique identifier for the project to which the target API Key belongs. Required if organization_id is not set. ID for the project to which the target API Key belongs + projectRoles : [str], default is Undefined, optional + Roles assigned when an org API key is assigned to a project API key. Roles assigned when an org API key is assigned to a project API key + roles : [str], default is Undefined, optional + List of roles that the API Key needs to have. List of roles that the API Key needs to have + ttl : str, default is Undefined, optional + Duration in seconds after which the issued credential should expire. Duration in seconds after which the issued credential should expire + """ + + + cidrBlocks?: [str] + + ipAddresses?: [str] + + maxTtl?: str + + mount?: str + + name?: str + + namespace?: str + + organizationId?: str + + projectId?: str + + projectRoles?: [str] + + roles?: [str] + + ttl?: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + cidrBlocks : [str], default is Undefined, optional + Whitelist entry in CIDR notation to be added for the API key. Whitelist entry in CIDR notation to be added for the API key + ipAddresses : [str], default is Undefined, optional + IP address to be added to the whitelist for the API key. IP address to be added to the whitelist for the API key + maxTtl : str, default is Undefined, optional + The maximum allowed lifetime of credentials issued using this role. The maximum allowed lifetime of credentials issued using this role + mount : str, default is Undefined, optional + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted + name : str, default is Undefined, optional + The name of the role. Name of the role + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organizationId : str, default is Undefined, optional + Unique identifier for the organization to which the target API Key belongs. Required if project_id is not set. ID for the organization to which the target API Key belongs + projectId : str, default is Undefined, optional + Unique identifier for the project to which the target API Key belongs. Required if organization_id is not set. ID for the project to which the target API Key belongs + projectRoles : [str], default is Undefined, optional + Roles assigned when an org API key is assigned to a project API key. Roles assigned when an org API key is assigned to a project API key + roles : [str], default is Undefined, optional + List of roles that the API Key needs to have. List of roles that the API Key needs to have + ttl : str, default is Undefined, optional + Duration in seconds after which the issued credential should expire. Duration in seconds after which the issued credential should expire + """ + + + cidrBlocks?: [str] + + ipAddresses?: [str] + + maxTtl?: str + + mount?: str + + name?: str + + namespace?: str + + organizationId?: str + + projectId?: str + + projectRoles?: [str] + + roles?: [str] + + ttl?: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatus: + r""" + SecretRoleStatus defines the observed state of SecretRole. + + Attributes + ---------- + atProvider : MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatusAtProvider + + conditions?: [MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0] + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatusAtProvider: + r""" + mongodbatlas vault upbound io v1alpha1 secret role status at provider + + Attributes + ---------- + cidrBlocks : [str], default is Undefined, optional + Whitelist entry in CIDR notation to be added for the API key. Whitelist entry in CIDR notation to be added for the API key + id : str, default is Undefined, optional + id + ipAddresses : [str], default is Undefined, optional + IP address to be added to the whitelist for the API key. IP address to be added to the whitelist for the API key + maxTtl : str, default is Undefined, optional + The maximum allowed lifetime of credentials issued using this role. The maximum allowed lifetime of credentials issued using this role + mount : str, default is Undefined, optional + Path where the MongoDB Atlas Secrets Engine is mounted. Path where MongoDB Atlas secret backend is mounted + name : str, default is Undefined, optional + The name of the role. Name of the role + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organizationId : str, default is Undefined, optional + Unique identifier for the organization to which the target API Key belongs. Required if project_id is not set. ID for the organization to which the target API Key belongs + projectId : str, default is Undefined, optional + Unique identifier for the project to which the target API Key belongs. Required if organization_id is not set. ID for the project to which the target API Key belongs + projectRoles : [str], default is Undefined, optional + Roles assigned when an org API key is assigned to a project API key. Roles assigned when an org API key is assigned to a project API key + roles : [str], default is Undefined, optional + List of roles that the API Key needs to have. List of roles that the API Key needs to have + ttl : str, default is Undefined, optional + Duration in seconds after which the issued credential should expire. Duration in seconds after which the issued credential should expire + """ + + + cidrBlocks?: [str] + + id?: str + + ipAddresses?: [str] + + maxTtl?: str + + mount?: str + + name?: str + + namespace?: str + + organizationId?: str + + projectId?: str + + projectRoles?: [str] + + roles?: [str] + + ttl?: str + + +schema MongodbatlasVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/nomad/v1alpha1/nomad_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/nomad/v1alpha1/nomad_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..38d61c8b --- /dev/null +++ b/crossplane-provider-vault/nomad/v1alpha1/nomad_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,553 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates a Nomad secret backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "nomad.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : NomadVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : NomadVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "nomad.vault.upbound.io/v1alpha1" = "nomad.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: NomadVaultUpboundIoV1alpha1SecretBackendSpec + + status?: NomadVaultUpboundIoV1alpha1SecretBackendStatus + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : NomadVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : NomadVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : NomadVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: NomadVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: NomadVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: NomadVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + nomad vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + address : str, default is Undefined, optional + Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to nomad. The mount path for the Nomad backend. + caCert : str, default is Undefined, optional + CA certificate to use when verifying the Nomad server certificate, must be x509 PEM encoded. CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded. + clientCertSecretRef : NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientCertSecretRef, default is Undefined, optional + client cert secret ref + clientKeySecretRef : NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientKeySecretRef, default is Undefined, optional + client key secret ref + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for secrets in seconds. Default lease duration for secrets in seconds. + description : str, default is Undefined, optional + Human-friendly description of the mount for the Active Directory backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time. + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. + maxTokenNameLength : float, default is Undefined, optional + Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. + maxTtl : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + tokenSecretRef : NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderTokenSecretRef, default is Undefined, optional + token secret ref + ttl : float, default is Undefined, optional + Specifies the ttl of the lease for the generated token. Maximum possible lease duration for secrets in seconds. + """ + + + address?: str + + backend?: str + + caCert?: str + + clientCertSecretRef?: NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientCertSecretRef + + clientKeySecretRef?: NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientKeySecretRef + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + local?: bool + + maxLeaseTtlSeconds?: float + + maxTokenNameLength?: float + + maxTtl?: float + + namespace?: str + + tokenSecretRef?: NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderTokenSecretRef + + ttl?: float + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientCertSecretRef: + r""" + Client certificate to provide to the Nomad server, must be x509 PEM encoded. Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderClientKeySecretRef: + r""" + Client certificate key to provide to the Nomad server, must be x509 PEM encoded. Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecForProviderTokenSecretRef: + r""" + Specifies the Nomad Management token to use. Specifies the Nomad Management token to use. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + address : str, default is Undefined, optional + Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to nomad. The mount path for the Nomad backend. + caCert : str, default is Undefined, optional + CA certificate to use when verifying the Nomad server certificate, must be x509 PEM encoded. CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for secrets in seconds. Default lease duration for secrets in seconds. + description : str, default is Undefined, optional + Human-friendly description of the mount for the Active Directory backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + local : bool, default is Undefined, optional + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time. + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. + maxTokenNameLength : float, default is Undefined, optional + Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. + maxTtl : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + ttl : float, default is Undefined, optional + Specifies the ttl of the lease for the generated token. Maximum possible lease duration for secrets in seconds. + """ + + + address?: str + + backend?: str + + caCert?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + local?: bool + + maxLeaseTtlSeconds?: float + + maxTokenNameLength?: float + + maxTtl?: float + + namespace?: str + + ttl?: float + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema NomadVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema NomadVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : NomadVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [NomadVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: NomadVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [NomadVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema NomadVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + nomad vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + address : str, default is Undefined, optional + Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". Specifies the address of the Nomad instance, provided as "protocol://host:port" like "http://127.0.0.1:4646". + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to nomad. The mount path for the Nomad backend. + caCert : str, default is Undefined, optional + CA certificate to use when verifying the Nomad server certificate, must be x509 PEM encoded. CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for secrets in seconds. Default lease duration for secrets in seconds. + description : str, default is Undefined, optional + Human-friendly description of the mount for the Active Directory backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + local : bool, default is Undefined, optional + Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time. Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time. + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. + maxTokenNameLength : float, default is Undefined, optional + Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. Specifies the maximum length to use for the name of the Nomad token generated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed by the Nomad version. + maxTtl : float, default is Undefined, optional + Maximum possible lease duration for secrets in seconds. Maximum possible lease duration for secrets in seconds. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + ttl : float, default is Undefined, optional + Specifies the ttl of the lease for the generated token. Maximum possible lease duration for secrets in seconds. + """ + + + address?: str + + backend?: str + + caCert?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + id?: str + + local?: bool + + maxLeaseTtlSeconds?: float + + maxTokenNameLength?: float + + maxTtl?: float + + namespace?: str + + ttl?: float + + +schema NomadVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/nomad/v1alpha1/nomad_vault_upbound_io_v1alpha1_secret_role.k b/crossplane-provider-vault/nomad/v1alpha1/nomad_vault_upbound_io_v1alpha1_secret_role.k new file mode 100644 index 00000000..9440f5ae --- /dev/null +++ b/crossplane-provider-vault/nomad/v1alpha1/nomad_vault_upbound_io_v1alpha1_secret_role.k @@ -0,0 +1,403 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretRole: + r""" + SecretRole is the Schema for the SecretRoles API. Creates a Nomad role. + + Attributes + ---------- + apiVersion : str, default is "nomad.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : NomadVaultUpboundIoV1alpha1SecretRoleSpec, default is Undefined, required + spec + status : NomadVaultUpboundIoV1alpha1SecretRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "nomad.vault.upbound.io/v1alpha1" = "nomad.vault.upbound.io/v1alpha1" + + kind: "SecretRole" = "SecretRole" + + metadata?: v1.ObjectMeta + + spec: NomadVaultUpboundIoV1alpha1SecretRoleSpec + + status?: NomadVaultUpboundIoV1alpha1SecretRoleStatus + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpec: + r""" + SecretRoleSpec defines the desired state of SecretRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : NomadVaultUpboundIoV1alpha1SecretRoleSpecForProvider, default is Undefined, required + for provider + initProvider : NomadVaultUpboundIoV1alpha1SecretRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : NomadVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: NomadVaultUpboundIoV1alpha1SecretRoleSpecForProvider + + initProvider?: NomadVaultUpboundIoV1alpha1SecretRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef + + providerRef?: NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderRef + + publishConnectionDetailsTo?: NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: NomadVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecForProvider: + r""" + nomad vault upbound io v1alpha1 secret role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. The mount path for the Nomad backend. + global : bool, default is Undefined, optional + Specifies if the generated token should be global. Defaults to false. Specifies if the token should be global. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies attached to the generated token. This setting is only used when type is 'client'. Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad. + role : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Name of the role. + $type : str, default is Undefined, optional + Specifies the type of token to create when using this role. Valid settings are 'client' and 'management'. Defaults to 'client'. Specifies the type of token to create when using this role. Valid values are "client" or "management". + """ + + + backend?: str + + global?: bool + + namespace?: str + + policies?: [str] + + role?: str + + $type?: str + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. The mount path for the Nomad backend. + global : bool, default is Undefined, optional + Specifies if the generated token should be global. Defaults to false. Specifies if the token should be global. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies attached to the generated token. This setting is only used when type is 'client'. Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad. + role : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Name of the role. + $type : str, default is Undefined, optional + Specifies the type of token to create when using this role. Valid settings are 'client' and 'management'. Defaults to 'client'. Specifies the type of token to create when using this role. Valid values are "client" or "management". + """ + + + backend?: str + + global?: bool + + namespace?: str + + policies?: [str] + + role?: str + + $type?: str + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema NomadVaultUpboundIoV1alpha1SecretRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema NomadVaultUpboundIoV1alpha1SecretRoleStatus: + r""" + SecretRoleStatus defines the observed state of SecretRole. + + Attributes + ---------- + atProvider : NomadVaultUpboundIoV1alpha1SecretRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [NomadVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: NomadVaultUpboundIoV1alpha1SecretRoleStatusAtProvider + + conditions?: [NomadVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0] + + +schema NomadVaultUpboundIoV1alpha1SecretRoleStatusAtProvider: + r""" + nomad vault upbound io v1alpha1 secret role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The unique path this backend should be mounted at. The mount path for the Nomad backend. + global : bool, default is Undefined, optional + Specifies if the generated token should be global. Defaults to false. Specifies if the token should be global. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policies : [str], default is Undefined, optional + List of policies attached to the generated token. This setting is only used when type is 'client'. Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad. + role : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Name of the role. + $type : str, default is Undefined, optional + Specifies the type of token to create when using this role. Valid settings are 'client' and 'management'. Defaults to 'client'. Specifies the type of token to create when using this role. Valid values are "client" or "management". + """ + + + backend?: str + + global?: bool + + id?: str + + namespace?: str + + policies?: [str] + + role?: str + + $type?: str + + +schema NomadVaultUpboundIoV1alpha1SecretRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend.k b/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend.k new file mode 100644 index 00000000..562025b1 --- /dev/null +++ b/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend.k @@ -0,0 +1,613 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackend: + r""" + AuthBackend is the Schema for the AuthBackends API. + + Attributes + ---------- + apiVersion : str, default is "okta.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : OktaVaultUpboundIoV1alpha1AuthBackendSpec, default is Undefined, required + spec + status : OktaVaultUpboundIoV1alpha1AuthBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "okta.vault.upbound.io/v1alpha1" = "okta.vault.upbound.io/v1alpha1" + + kind: "AuthBackend" = "AuthBackend" + + metadata?: v1.ObjectMeta + + spec: OktaVaultUpboundIoV1alpha1AuthBackendSpec + + status?: OktaVaultUpboundIoV1alpha1AuthBackendStatus + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpec: + r""" + AuthBackendSpec defines the desired state of AuthBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : OktaVaultUpboundIoV1alpha1AuthBackendSpecForProvider, default is Undefined, required + for provider + initProvider : OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : OktaVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: OktaVaultUpboundIoV1alpha1AuthBackendSpecForProvider + + initProvider?: OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef + + providerRef?: OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderRef + + publishConnectionDetailsTo?: OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: OktaVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecForProvider: + r""" + okta vault upbound io v1alpha1 auth backend spec for provider + + Attributes + ---------- + baseUrl : str, default is Undefined, optional + The Okta url. Examples: oktapreview.com, okta.com (default) + bypassOktaMfa : bool, default is Undefined, optional + When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired. + description : str, default is Undefined, optional + The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + group : [OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderGroupItems0], default is Undefined, optional + group + maxTtl : str, default is Undefined, optional + Maximum duration after which authentication will be expired + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The Okta organization. This will be the first part of the url https://XXX.okta.com. + path : str, default is Undefined, optional + path to mount the backend + tokenSecretRef : OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderTokenSecretRef, default is Undefined, optional + token secret ref + ttl : str, default is Undefined, optional + Duration after which authentication will be expired + user : [OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderUserItems0], default is Undefined, optional + user + """ + + + baseUrl?: str + + bypassOktaMfa?: bool + + description?: str + + disableRemount?: bool + + group?: [OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderGroupItems0] + + maxTtl?: str + + namespace?: str + + organization?: str + + path?: str + + tokenSecretRef?: OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderTokenSecretRef + + ttl?: str + + user?: [OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderUserItems0] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderGroupItems0: + r""" + okta vault upbound io v1alpha1 auth backend spec for provider group items0 + + Attributes + ---------- + groupName : str, default is Undefined, optional + group name + policies : [str], default is Undefined, optional + policies + """ + + + groupName?: str + + policies?: [str] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderTokenSecretRef: + r""" + The Okta API token. This is required to query Okta for user group membership. If this is not supplied only locally configured groups will be enabled. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecForProviderUserItems0: + r""" + okta vault upbound io v1alpha1 auth backend spec for provider user items0 + + Attributes + ---------- + groups : [str], default is Undefined, optional + groups + policies : [str], default is Undefined, optional + policies + username : str, default is Undefined, optional + username + """ + + + groups?: [str] + + policies?: [str] + + username?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + baseUrl : str, default is Undefined, optional + The Okta url. Examples: oktapreview.com, okta.com (default) + bypassOktaMfa : bool, default is Undefined, optional + When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired. + description : str, default is Undefined, optional + The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + group : [OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProviderGroupItems0], default is Undefined, optional + group + maxTtl : str, default is Undefined, optional + Maximum duration after which authentication will be expired + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The Okta organization. This will be the first part of the url https://XXX.okta.com. + path : str, default is Undefined, optional + path to mount the backend + ttl : str, default is Undefined, optional + Duration after which authentication will be expired + user : [OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProviderUserItems0], default is Undefined, optional + user + """ + + + baseUrl?: str + + bypassOktaMfa?: bool + + description?: str + + disableRemount?: bool + + group?: [OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProviderGroupItems0] + + maxTtl?: str + + namespace?: str + + organization?: str + + path?: str + + ttl?: str + + user?: [OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProviderUserItems0] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProviderGroupItems0: + r""" + okta vault upbound io v1alpha1 auth backend spec init provider group items0 + + Attributes + ---------- + groupName : str, default is Undefined, optional + group name + policies : [str], default is Undefined, optional + policies + """ + + + groupName?: str + + policies?: [str] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecInitProviderUserItems0: + r""" + okta vault upbound io v1alpha1 auth backend spec init provider user items0 + + Attributes + ---------- + groups : [str], default is Undefined, optional + groups + policies : [str], default is Undefined, optional + policies + username : str, default is Undefined, optional + username + """ + + + groups?: [str] + + policies?: [str] + + username?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendStatus: + r""" + AuthBackendStatus defines the observed state of AuthBackend. + + Attributes + ---------- + atProvider : OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [OktaVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProvider + + conditions?: [OktaVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProvider: + r""" + okta vault upbound io v1alpha1 auth backend status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The mount accessor related to the auth mount. + baseUrl : str, default is Undefined, optional + The Okta url. Examples: oktapreview.com, okta.com (default) + bypassOktaMfa : bool, default is Undefined, optional + When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired. + description : str, default is Undefined, optional + The description of the auth backend + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. + group : [OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProviderGroupItems0], default is Undefined, optional + group + id : str, default is Undefined, optional + id + maxTtl : str, default is Undefined, optional + Maximum duration after which authentication will be expired + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The Okta organization. This will be the first part of the url https://XXX.okta.com. + path : str, default is Undefined, optional + path to mount the backend + ttl : str, default is Undefined, optional + Duration after which authentication will be expired + user : [OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProviderUserItems0], default is Undefined, optional + user + """ + + + accessor?: str + + baseUrl?: str + + bypassOktaMfa?: bool + + description?: str + + disableRemount?: bool + + group?: [OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProviderGroupItems0] + + id?: str + + maxTtl?: str + + namespace?: str + + organization?: str + + path?: str + + ttl?: str + + user?: [OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProviderUserItems0] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProviderGroupItems0: + r""" + okta vault upbound io v1alpha1 auth backend status at provider group items0 + + Attributes + ---------- + groupName : str, default is Undefined, optional + group name + policies : [str], default is Undefined, optional + policies + """ + + + groupName?: str + + policies?: [str] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendStatusAtProviderUserItems0: + r""" + okta vault upbound io v1alpha1 auth backend status at provider user items0 + + Attributes + ---------- + groups : [str], default is Undefined, optional + groups + policies : [str], default is Undefined, optional + policies + username : str, default is Undefined, optional + username + """ + + + groups?: [str] + + policies?: [str] + + username?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend_group.k b/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend_group.k new file mode 100644 index 00000000..8b24fc1a --- /dev/null +++ b/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend_group.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendGroup: + r""" + AuthBackendGroup is the Schema for the AuthBackendGroups API. + + Attributes + ---------- + apiVersion : str, default is "okta.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendGroup", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpec, default is Undefined, required + spec + status : OktaVaultUpboundIoV1alpha1AuthBackendGroupStatus, default is Undefined, optional + status + """ + + + apiVersion: "okta.vault.upbound.io/v1alpha1" = "okta.vault.upbound.io/v1alpha1" + + kind: "AuthBackendGroup" = "AuthBackendGroup" + + metadata?: v1.ObjectMeta + + spec: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpec + + status?: OktaVaultUpboundIoV1alpha1AuthBackendGroupStatus + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpec: + r""" + AuthBackendGroupSpec defines the desired state of AuthBackendGroup + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecForProvider, default is Undefined, required + for provider + initProvider : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecForProvider + + initProvider?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRef + + providerRef?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRef + + publishConnectionDetailsTo?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecWriteConnectionSecretToRef + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecForProvider: + r""" + okta vault upbound io v1alpha1 auth backend group spec for provider + + Attributes + ---------- + groupName : str, default is Undefined, optional + Name of the Okta group + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to the Okta auth backend + policies : [str], default is Undefined, optional + Policies to associate with this group + """ + + + groupName?: str + + namespace?: str + + path?: str + + policies?: [str] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + groupName : str, default is Undefined, optional + Name of the Okta group + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to the Okta auth backend + policies : [str], default is Undefined, optional + Policies to associate with this group + """ + + + groupName?: str + + namespace?: str + + path?: str + + policies?: [str] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRef + + metadata?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToMetadata + + name: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupStatus: + r""" + AuthBackendGroupStatus defines the observed state of AuthBackendGroup. + + Attributes + ---------- + atProvider : OktaVaultUpboundIoV1alpha1AuthBackendGroupStatusAtProvider, default is Undefined, optional + at provider + conditions : [OktaVaultUpboundIoV1alpha1AuthBackendGroupStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: OktaVaultUpboundIoV1alpha1AuthBackendGroupStatusAtProvider + + conditions?: [OktaVaultUpboundIoV1alpha1AuthBackendGroupStatusConditionsItems0] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupStatusAtProvider: + r""" + okta vault upbound io v1alpha1 auth backend group status at provider + + Attributes + ---------- + groupName : str, default is Undefined, optional + Name of the Okta group + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to the Okta auth backend + policies : [str], default is Undefined, optional + Policies to associate with this group + """ + + + groupName?: str + + id?: str + + namespace?: str + + path?: str + + policies?: [str] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendGroupStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend_user.k b/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend_user.k new file mode 100644 index 00000000..8c61d1dc --- /dev/null +++ b/crossplane-provider-vault/okta/v1alpha1/okta_vault_upbound_io_v1alpha1_auth_backend_user.k @@ -0,0 +1,391 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendUser: + r""" + AuthBackendUser is the Schema for the AuthBackendUsers API. + + Attributes + ---------- + apiVersion : str, default is "okta.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendUser", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : OktaVaultUpboundIoV1alpha1AuthBackendUserSpec, default is Undefined, required + spec + status : OktaVaultUpboundIoV1alpha1AuthBackendUserStatus, default is Undefined, optional + status + """ + + + apiVersion: "okta.vault.upbound.io/v1alpha1" = "okta.vault.upbound.io/v1alpha1" + + kind: "AuthBackendUser" = "AuthBackendUser" + + metadata?: v1.ObjectMeta + + spec: OktaVaultUpboundIoV1alpha1AuthBackendUserSpec + + status?: OktaVaultUpboundIoV1alpha1AuthBackendUserStatus + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpec: + r""" + AuthBackendUserSpec defines the desired state of AuthBackendUser + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecForProvider, default is Undefined, required + for provider + initProvider : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecForProvider + + initProvider?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRef + + providerRef?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRef + + publishConnectionDetailsTo?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecWriteConnectionSecretToRef + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecForProvider: + r""" + okta vault upbound io v1alpha1 auth backend user spec for provider + + Attributes + ---------- + groups : [str], default is Undefined, optional + Groups within the Okta auth backend to associate with this user + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to the Okta auth backend + policies : [str], default is Undefined, optional + Policies to associate with this user + username : str, default is Undefined, optional + Name of the user within Okta + """ + + + groups?: [str] + + namespace?: str + + path?: str + + policies?: [str] + + username?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + groups : [str], default is Undefined, optional + Groups within the Okta auth backend to associate with this user + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to the Okta auth backend + policies : [str], default is Undefined, optional + Policies to associate with this user + username : str, default is Undefined, optional + Name of the user within Okta + """ + + + groups?: [str] + + namespace?: str + + path?: str + + policies?: [str] + + username?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRef + + metadata?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToMetadata + + name: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRefPolicy + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserStatus: + r""" + AuthBackendUserStatus defines the observed state of AuthBackendUser. + + Attributes + ---------- + atProvider : OktaVaultUpboundIoV1alpha1AuthBackendUserStatusAtProvider, default is Undefined, optional + at provider + conditions : [OktaVaultUpboundIoV1alpha1AuthBackendUserStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: OktaVaultUpboundIoV1alpha1AuthBackendUserStatusAtProvider + + conditions?: [OktaVaultUpboundIoV1alpha1AuthBackendUserStatusConditionsItems0] + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserStatusAtProvider: + r""" + okta vault upbound io v1alpha1 auth backend user status at provider + + Attributes + ---------- + groups : [str], default is Undefined, optional + Groups within the Okta auth backend to associate with this user + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to the Okta auth backend + policies : [str], default is Undefined, optional + Policies to associate with this user + username : str, default is Undefined, optional + Name of the user within Okta + """ + + + groups?: [str] + + id?: str + + namespace?: str + + path?: str + + policies?: [str] + + username?: str + + +schema OktaVaultUpboundIoV1alpha1AuthBackendUserStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/password/v1alpha1/password_vault_upbound_io_v1alpha1_policy.k b/crossplane-provider-vault/password/v1alpha1/password_vault_upbound_io_v1alpha1_policy.k new file mode 100644 index 00000000..081cb52c --- /dev/null +++ b/crossplane-provider-vault/password/v1alpha1/password_vault_upbound_io_v1alpha1_policy.k @@ -0,0 +1,367 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Policy: + r""" + Policy is the Schema for the Policys API. Writes Password policies for Vault + + Attributes + ---------- + apiVersion : str, default is "password.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Policy", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PasswordVaultUpboundIoV1alpha1PolicySpec, default is Undefined, required + spec + status : PasswordVaultUpboundIoV1alpha1PolicyStatus, default is Undefined, optional + status + """ + + + apiVersion: "password.vault.upbound.io/v1alpha1" = "password.vault.upbound.io/v1alpha1" + + kind: "Policy" = "Policy" + + metadata?: v1.ObjectMeta + + spec: PasswordVaultUpboundIoV1alpha1PolicySpec + + status?: PasswordVaultUpboundIoV1alpha1PolicyStatus + + +schema PasswordVaultUpboundIoV1alpha1PolicySpec: + r""" + PolicySpec defines the desired state of Policy + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PasswordVaultUpboundIoV1alpha1PolicySpecForProvider, default is Undefined, required + for provider + initProvider : PasswordVaultUpboundIoV1alpha1PolicySpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PasswordVaultUpboundIoV1alpha1PolicySpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PasswordVaultUpboundIoV1alpha1PolicySpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PasswordVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PasswordVaultUpboundIoV1alpha1PolicySpecForProvider + + initProvider?: PasswordVaultUpboundIoV1alpha1PolicySpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PasswordVaultUpboundIoV1alpha1PolicySpecProviderConfigRef + + providerRef?: PasswordVaultUpboundIoV1alpha1PolicySpecProviderRef + + publishConnectionDetailsTo?: PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PasswordVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecForProvider: + r""" + password vault upbound io v1alpha1 policy spec for provider + + Attributes + ---------- + name : str, default is Undefined, optional + The name of the password policy. Name of the password policy. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a password policy. The password policy document + """ + + + name?: str + + namespace?: str + + policy?: str + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + name : str, default is Undefined, optional + The name of the password policy. Name of the password policy. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a password policy. The password policy document + """ + + + name?: str + + namespace?: str + + policy?: str + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PasswordVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PasswordVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PasswordVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PasswordVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef + + metadata?: PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata + + name: str + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PasswordVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PasswordVaultUpboundIoV1alpha1PolicyStatus: + r""" + PolicyStatus defines the observed state of Policy. + + Attributes + ---------- + atProvider : PasswordVaultUpboundIoV1alpha1PolicyStatusAtProvider, default is Undefined, optional + at provider + conditions : [PasswordVaultUpboundIoV1alpha1PolicyStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PasswordVaultUpboundIoV1alpha1PolicyStatusAtProvider + + conditions?: [PasswordVaultUpboundIoV1alpha1PolicyStatusConditionsItems0] + + +schema PasswordVaultUpboundIoV1alpha1PolicyStatusAtProvider: + r""" + password vault upbound io v1alpha1 policy status at provider + + Attributes + ---------- + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the password policy. Name of the password policy. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a password policy. The password policy document + """ + + + id?: str + + name?: str + + namespace?: str + + policy?: str + + +schema PasswordVaultUpboundIoV1alpha1PolicyStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_cert.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_cert.k new file mode 100644 index 00000000..46440416 --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_cert.k @@ -0,0 +1,563 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendCert: + r""" + SecretBackendCert is the Schema for the SecretBackendCerts API. Generate an PKI certificate. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendCert", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendCertSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendCertStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendCert" = "SecretBackendCert" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendCertSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendCertStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpec: + r""" + SecretBackendCertSpec defines the desired state of SecretBackendCert + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend cert spec for provider + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + autoRenew : bool, default is Undefined, optional + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of certificate to create CN of the certificate to create. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. + minSecondsRemaining : float, default is Undefined, optional + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate a new certificate when the expiration is within this number of seconds + name : str, default is Undefined, optional + Name of the role to create the certificate against Name of the role to create the certificate against. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + revoke : bool, default is Undefined, optional + If set to true, the certificate will be revoked on resource destruction. Revoke the certificate upon resource destruction. + ttl : str, default is Undefined, optional + Time to live Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + userIds : [str], default is Undefined, optional + List of Subject User IDs List of Subject User IDs. + """ + + + altNames?: [str] + + autoRenew?: bool + + backend?: str + + commonName?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + issuerRef?: str + + minSecondsRemaining?: float + + name?: str + + namespace?: str + + otherSans?: [str] + + privateKeyFormat?: str + + revoke?: bool + + ttl?: str + + uriSans?: [str] + + userIds?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + autoRenew : bool, default is Undefined, optional + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of certificate to create CN of the certificate to create. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. + minSecondsRemaining : float, default is Undefined, optional + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate a new certificate when the expiration is within this number of seconds + name : str, default is Undefined, optional + Name of the role to create the certificate against Name of the role to create the certificate against. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + revoke : bool, default is Undefined, optional + If set to true, the certificate will be revoked on resource destruction. Revoke the certificate upon resource destruction. + ttl : str, default is Undefined, optional + Time to live Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + userIds : [str], default is Undefined, optional + List of Subject User IDs List of Subject User IDs. + """ + + + altNames?: [str] + + autoRenew?: bool + + backend?: str + + commonName?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + issuerRef?: str + + minSecondsRemaining?: float + + name?: str + + namespace?: str + + otherSans?: [str] + + privateKeyFormat?: str + + revoke?: bool + + ttl?: str + + uriSans?: [str] + + userIds?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertStatus: + r""" + SecretBackendCertStatus defines the observed state of SecretBackendCert. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendCertStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendCertStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendCertStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendCertStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend cert status at provider + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + autoRenew : bool, default is Undefined, optional + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + caChain : str, default is Undefined, optional + The CA chain The CA chain. + certificate : str, default is Undefined, optional + The certificate The certicate. + commonName : str, default is Undefined, optional + CN of certificate to create CN of the certificate to create. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + expiration : float, default is Undefined, optional + The expiration date of the certificate in unix epoch format The certificate expiration as a Unix-style timestamp. + format : str, default is Undefined, optional + The format of data The format of data. + id : str, default is Undefined, optional + id + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. + issuingCa : str, default is Undefined, optional + The issuing CA The issuing CA. + minSecondsRemaining : float, default is Undefined, optional + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate a new certificate when the expiration is within this number of seconds + name : str, default is Undefined, optional + Name of the role to create the certificate against Name of the role to create the certificate against. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + privateKeyType : str, default is Undefined, optional + The private key type The private key type. + renewPending : bool, default is Undefined, optional + true if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining, and false otherwise; if auto_renew is set to true then the provider will plan to replace the certificate once renewal is pending. Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future. + revoke : bool, default is Undefined, optional + If set to true, the certificate will be revoked on resource destruction. Revoke the certificate upon resource destruction. + serialNumber : str, default is Undefined, optional + The serial number The serial number. + ttl : str, default is Undefined, optional + Time to live Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + userIds : [str], default is Undefined, optional + List of Subject User IDs List of Subject User IDs. + """ + + + altNames?: [str] + + autoRenew?: bool + + backend?: str + + caChain?: str + + certificate?: str + + commonName?: str + + excludeCnFromSans?: bool + + expiration?: float + + format?: str + + id?: str + + ipSans?: [str] + + issuerRef?: str + + issuingCa?: str + + minSecondsRemaining?: float + + name?: str + + namespace?: str + + otherSans?: [str] + + privateKeyFormat?: str + + privateKeyType?: str + + renewPending?: bool + + revoke?: bool + + serialNumber?: str + + ttl?: str + + uriSans?: [str] + + userIds?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCertStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_config_c_a.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_config_c_a.k new file mode 100644 index 00000000..1d839d07 --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_config_c_a.k @@ -0,0 +1,381 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendConfigCA: + r""" + SecretBackendConfigCA is the Schema for the SecretBackendConfigCAs API. Submit the CA information to PKI. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendConfigCA", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendConfigCA" = "SecretBackendConfigCA" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpec: + r""" + SecretBackendConfigCASpec defines the desired state of SecretBackendConfigCA + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend config c a spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pemBundleSecretRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecForProviderPemBundleSecretRef, default is Undefined, optional + pem bundle secret ref + """ + + + backend?: str + + namespace?: str + + pemBundleSecretRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecForProviderPemBundleSecretRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecForProviderPemBundleSecretRef: + r""" + The key and certificate PEM bundle The key and certificate PEM bundle. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + backend?: str + + namespace?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCASpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatus: + r""" + SecretBackendConfigCAStatus defines the observed state of SecretBackendConfigCA. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend config c a status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + backend?: str + + id?: str + + namespace?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigCAStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_config_urls.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_config_urls.k new file mode 100644 index 00000000..90de7db1 --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_config_urls.k @@ -0,0 +1,391 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendConfigUrls: + r""" + SecretBackendConfigUrls is the Schema for the SecretBackendConfigUrlss API. Sets the config URL's on an PKI Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendConfigUrls", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendConfigUrls" = "SecretBackendConfigUrls" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpec: + r""" + SecretBackendConfigUrlsSpec defines the desired state of SecretBackendConfigUrls + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend config urls spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + crlDistributionPoints : [str], default is Undefined, optional + Specifies the URL values for the CRL Distribution Points field. Specifies the URL values for the CRL Distribution Points field. + issuingCertificates : [str], default is Undefined, optional + Specifies the URL values for the Issuing Certificate field. Specifies the URL values for the Issuing Certificate field. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + ocspServers : [str], default is Undefined, optional + Specifies the URL values for the OCSP Servers field. Specifies the URL values for the OCSP Servers field. + """ + + + backend?: str + + crlDistributionPoints?: [str] + + issuingCertificates?: [str] + + namespace?: str + + ocspServers?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + crlDistributionPoints : [str], default is Undefined, optional + Specifies the URL values for the CRL Distribution Points field. Specifies the URL values for the CRL Distribution Points field. + issuingCertificates : [str], default is Undefined, optional + Specifies the URL values for the Issuing Certificate field. Specifies the URL values for the Issuing Certificate field. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + ocspServers : [str], default is Undefined, optional + Specifies the URL values for the OCSP Servers field. Specifies the URL values for the OCSP Servers field. + """ + + + backend?: str + + crlDistributionPoints?: [str] + + issuingCertificates?: [str] + + namespace?: str + + ocspServers?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatus: + r""" + SecretBackendConfigUrlsStatus defines the observed state of SecretBackendConfigUrls. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend config urls status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + crlDistributionPoints : [str], default is Undefined, optional + Specifies the URL values for the CRL Distribution Points field. Specifies the URL values for the CRL Distribution Points field. + id : str, default is Undefined, optional + id + issuingCertificates : [str], default is Undefined, optional + Specifies the URL values for the Issuing Certificate field. Specifies the URL values for the Issuing Certificate field. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + ocspServers : [str], default is Undefined, optional + Specifies the URL values for the OCSP Servers field. Specifies the URL values for the OCSP Servers field. + """ + + + backend?: str + + crlDistributionPoints?: [str] + + id?: str + + issuingCertificates?: [str] + + namespace?: str + + ocspServers?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendConfigUrlsStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_crl_config.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_crl_config.k new file mode 100644 index 00000000..416838ac --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_crl_config.k @@ -0,0 +1,487 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendCrlConfig: + r""" + SecretBackendCrlConfig is the Schema for the SecretBackendCrlConfigs API. Sets the CRL config on an PKI Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendCrlConfig", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendCrlConfig" = "SecretBackendCrlConfig" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpec: + r""" + SecretBackendCrlConfigSpec defines the desired state of SecretBackendCrlConfig + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend crl config spec for provider + + Attributes + ---------- + autoRebuild : bool, default is Undefined, optional + Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+ Enables or disables periodic rebuilding of the CRL upon expiry. + autoRebuildGracePeriod : str, default is Undefined, optional + Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+ Grace period before CRL expiry to attempt rebuild of CRL. + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + crossClusterRevocation : bool, default is Undefined, optional + Enable cross-cluster revocation request queues. Vault 1.13+ Enable cross-cluster revocation request queues. + deltaRebuildInterval : str, default is Undefined, optional + Interval to check for new revocations on, to regenerate the delta CRL. Interval to check for new revocations on, to regenerate the delta CRL. + disable : bool, default is Undefined, optional + Disables or enables CRL building. Disables or enables CRL building + enableDelta : bool, default is Undefined, optional + Enables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. Vault 1.12+ Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. + expiry : str, default is Undefined, optional + Specifies the time until expiration. Specifies the time until expiration. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + ocspDisable : bool, default is Undefined, optional + Disables the OCSP responder in Vault. Vault 1.12+ Disables or enables the OCSP responder in Vault. + ocspExpiry : str, default is Undefined, optional + The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. Vault 1.12+ The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. + unifiedCrl : bool, default is Undefined, optional + Enables unified CRL and OCSP building. Vault 1.13+ Enables unified CRL and OCSP building. + unifiedCrlOnExistingPaths : bool, default is Undefined, optional + Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. Vault 1.13+ Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. + """ + + + autoRebuild?: bool + + autoRebuildGracePeriod?: str + + backend?: str + + crossClusterRevocation?: bool + + deltaRebuildInterval?: str + + disable?: bool + + enableDelta?: bool + + expiry?: str + + namespace?: str + + ocspDisable?: bool + + ocspExpiry?: str + + unifiedCrl?: bool + + unifiedCrlOnExistingPaths?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + autoRebuild : bool, default is Undefined, optional + Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+ Enables or disables periodic rebuilding of the CRL upon expiry. + autoRebuildGracePeriod : str, default is Undefined, optional + Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+ Grace period before CRL expiry to attempt rebuild of CRL. + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + crossClusterRevocation : bool, default is Undefined, optional + Enable cross-cluster revocation request queues. Vault 1.13+ Enable cross-cluster revocation request queues. + deltaRebuildInterval : str, default is Undefined, optional + Interval to check for new revocations on, to regenerate the delta CRL. Interval to check for new revocations on, to regenerate the delta CRL. + disable : bool, default is Undefined, optional + Disables or enables CRL building. Disables or enables CRL building + enableDelta : bool, default is Undefined, optional + Enables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. Vault 1.12+ Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. + expiry : str, default is Undefined, optional + Specifies the time until expiration. Specifies the time until expiration. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + ocspDisable : bool, default is Undefined, optional + Disables the OCSP responder in Vault. Vault 1.12+ Disables or enables the OCSP responder in Vault. + ocspExpiry : str, default is Undefined, optional + The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. Vault 1.12+ The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. + unifiedCrl : bool, default is Undefined, optional + Enables unified CRL and OCSP building. Vault 1.13+ Enables unified CRL and OCSP building. + unifiedCrlOnExistingPaths : bool, default is Undefined, optional + Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. Vault 1.13+ Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. + """ + + + autoRebuild?: bool + + autoRebuildGracePeriod?: str + + backend?: str + + crossClusterRevocation?: bool + + deltaRebuildInterval?: str + + disable?: bool + + enableDelta?: bool + + expiry?: str + + namespace?: str + + ocspDisable?: bool + + ocspExpiry?: str + + unifiedCrl?: bool + + unifiedCrlOnExistingPaths?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatus: + r""" + SecretBackendCrlConfigStatus defines the observed state of SecretBackendCrlConfig. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend crl config status at provider + + Attributes + ---------- + autoRebuild : bool, default is Undefined, optional + Enables periodic rebuilding of the CRL upon expiry. Vault 1.12+ Enables or disables periodic rebuilding of the CRL upon expiry. + autoRebuildGracePeriod : str, default is Undefined, optional + Grace period before CRL expiry to attempt rebuild of CRL. Vault 1.12+ Grace period before CRL expiry to attempt rebuild of CRL. + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + crossClusterRevocation : bool, default is Undefined, optional + Enable cross-cluster revocation request queues. Vault 1.13+ Enable cross-cluster revocation request queues. + deltaRebuildInterval : str, default is Undefined, optional + Interval to check for new revocations on, to regenerate the delta CRL. Interval to check for new revocations on, to regenerate the delta CRL. + disable : bool, default is Undefined, optional + Disables or enables CRL building. Disables or enables CRL building + enableDelta : bool, default is Undefined, optional + Enables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. Vault 1.12+ Enables or disables building of delta CRLs with up-to-date revocation information, augmenting the last complete CRL. + expiry : str, default is Undefined, optional + Specifies the time until expiration. Specifies the time until expiration. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + ocspDisable : bool, default is Undefined, optional + Disables the OCSP responder in Vault. Vault 1.12+ Disables or enables the OCSP responder in Vault. + ocspExpiry : str, default is Undefined, optional + The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. Vault 1.12+ The amount of time an OCSP response can be cached for, useful for OCSP stapling refresh durations. + unifiedCrl : bool, default is Undefined, optional + Enables unified CRL and OCSP building. Vault 1.13+ Enables unified CRL and OCSP building. + unifiedCrlOnExistingPaths : bool, default is Undefined, optional + Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. Vault 1.13+ Enables serving the unified CRL and OCSP on the existing, previously cluster-local paths. + """ + + + autoRebuild?: bool + + autoRebuildGracePeriod?: str + + backend?: str + + crossClusterRevocation?: bool + + deltaRebuildInterval?: str + + disable?: bool + + enableDelta?: bool + + expiry?: str + + id?: str + + namespace?: str + + ocspDisable?: bool + + ocspExpiry?: str + + unifiedCrl?: bool + + unifiedCrlOnExistingPaths?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendCrlConfigStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_intermediate_cert_request.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_intermediate_cert_request.k new file mode 100644 index 00000000..d0dc175d --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_intermediate_cert_request.k @@ -0,0 +1,643 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendIntermediateCertRequest: + r""" + SecretBackendIntermediateCertRequest is the Schema for the SecretBackendIntermediateCertRequests API. Generate a new private key and a CSR for signing the PKI. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendIntermediateCertRequest", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendIntermediateCertRequest" = "SecretBackendIntermediateCertRequest" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpec: + r""" + SecretBackendIntermediateCertRequestSpec defines the desired state of SecretBackendIntermediateCertRequest + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend intermediate cert request spec for provider + + Attributes + ---------- + addBasicConstraints : bool, default is Undefined, optional + Adds a Basic Constraints extension with 'CA: true'. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services Set 'CA: true' in a Basic Constraints extension. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services. + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of intermediate to create CN of intermediate to create. + country : str, default is Undefined, optional + The country The country. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + keyBits : float, default is Undefined, optional + The number of bits to use The number of bits to use. + keyName : str, default is Undefined, optional + When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name. When a new key is created with this request, optionally specifies the name for this. + keyRef : str, default is Undefined, optional + Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests. Specifies the key to use for generating this request. + keyType : str, default is Undefined, optional + The desired key type The desired key type. + locality : str, default is Undefined, optional + The locality The locality. + managedKeyId : str, default is Undefined, optional + The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_name The ID of the previously configured managed key. + managedKeyName : str, default is Undefined, optional + The name of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_id The name of the previously configured managed key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization The organization. + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + ou : str, default is Undefined, optional + The organization unit The organization unit. + postalCode : str, default is Undefined, optional + The postal code The postal code. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + province : str, default is Undefined, optional + The province The province. + streetAddress : str, default is Undefined, optional + The street address The street address. + $type : str, default is Undefined, optional + Type of intermediate to create. Must be either "exported" or "internal" or "kms" Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + addBasicConstraints?: bool + + altNames?: [str] + + backend?: str + + commonName?: str + + country?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + keyBits?: float + + keyName?: str + + keyRef?: str + + keyType?: str + + locality?: str + + managedKeyId?: str + + managedKeyName?: str + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + postalCode?: str + + privateKeyFormat?: str + + province?: str + + streetAddress?: str + + $type?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + addBasicConstraints : bool, default is Undefined, optional + Adds a Basic Constraints extension with 'CA: true'. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services Set 'CA: true' in a Basic Constraints extension. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services. + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of intermediate to create CN of intermediate to create. + country : str, default is Undefined, optional + The country The country. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + keyBits : float, default is Undefined, optional + The number of bits to use The number of bits to use. + keyName : str, default is Undefined, optional + When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name. When a new key is created with this request, optionally specifies the name for this. + keyRef : str, default is Undefined, optional + Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests. Specifies the key to use for generating this request. + keyType : str, default is Undefined, optional + The desired key type The desired key type. + locality : str, default is Undefined, optional + The locality The locality. + managedKeyId : str, default is Undefined, optional + The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_name The ID of the previously configured managed key. + managedKeyName : str, default is Undefined, optional + The name of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_id The name of the previously configured managed key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization The organization. + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + ou : str, default is Undefined, optional + The organization unit The organization unit. + postalCode : str, default is Undefined, optional + The postal code The postal code. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + province : str, default is Undefined, optional + The province The province. + streetAddress : str, default is Undefined, optional + The street address The street address. + $type : str, default is Undefined, optional + Type of intermediate to create. Must be either "exported" or "internal" or "kms" Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + addBasicConstraints?: bool + + altNames?: [str] + + backend?: str + + commonName?: str + + country?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + keyBits?: float + + keyName?: str + + keyRef?: str + + keyType?: str + + locality?: str + + managedKeyId?: str + + managedKeyName?: str + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + postalCode?: str + + privateKeyFormat?: str + + province?: str + + streetAddress?: str + + $type?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatus: + r""" + SecretBackendIntermediateCertRequestStatus defines the observed state of SecretBackendIntermediateCertRequest. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend intermediate cert request status at provider + + Attributes + ---------- + addBasicConstraints : bool, default is Undefined, optional + Adds a Basic Constraints extension with 'CA: true'. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services Set 'CA: true' in a Basic Constraints extension. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services. + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of intermediate to create CN of intermediate to create. + country : str, default is Undefined, optional + The country The country. + csr : str, default is Undefined, optional + The CSR The CSR. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + id : str, default is Undefined, optional + id + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + keyBits : float, default is Undefined, optional + The number of bits to use The number of bits to use. + keyId : str, default is Undefined, optional + The ID of the generated key. The ID of the generated key. + keyName : str, default is Undefined, optional + When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name. When a new key is created with this request, optionally specifies the name for this. + keyRef : str, default is Undefined, optional + Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests. Specifies the key to use for generating this request. + keyType : str, default is Undefined, optional + The desired key type The desired key type. + locality : str, default is Undefined, optional + The locality The locality. + managedKeyId : str, default is Undefined, optional + The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_name The ID of the previously configured managed key. + managedKeyName : str, default is Undefined, optional + The name of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_id The name of the previously configured managed key. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization The organization. + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + ou : str, default is Undefined, optional + The organization unit The organization unit. + postalCode : str, default is Undefined, optional + The postal code The postal code. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + privateKeyType : str, default is Undefined, optional + The private key type The private key type. + province : str, default is Undefined, optional + The province The province. + streetAddress : str, default is Undefined, optional + The street address The street address. + $type : str, default is Undefined, optional + Type of intermediate to create. Must be either "exported" or "internal" or "kms" Type of intermediate to create. Must be either "existing", "exported", "internal" or "kms" + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + addBasicConstraints?: bool + + altNames?: [str] + + backend?: str + + commonName?: str + + country?: str + + csr?: str + + excludeCnFromSans?: bool + + format?: str + + id?: str + + ipSans?: [str] + + keyBits?: float + + keyId?: str + + keyName?: str + + keyRef?: str + + keyType?: str + + locality?: str + + managedKeyId?: str + + managedKeyName?: str + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + postalCode?: str + + privateKeyFormat?: str + + privateKeyType?: str + + province?: str + + streetAddress?: str + + $type?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateCertRequestStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_intermediate_set_signed.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_intermediate_set_signed.k new file mode 100644 index 00000000..459bbe03 --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_intermediate_set_signed.k @@ -0,0 +1,375 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendIntermediateSetSigned: + r""" + SecretBackendIntermediateSetSigned is the Schema for the SecretBackendIntermediateSetSigneds API. Submit the PKI CA certificate. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendIntermediateSetSigned", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendIntermediateSetSigned" = "SecretBackendIntermediateSetSigned" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpec: + r""" + SecretBackendIntermediateSetSignedSpec defines the desired state of SecretBackendIntermediateSetSigned + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend intermediate set signed spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + certificate : str, default is Undefined, optional + Specifies the PEM encoded certificate. May optionally append additional CA certificates to populate the whole chain, which will then enable returning the full chain from issue and sign operations. The certificate. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + backend?: str + + certificate?: str + + namespace?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + certificate : str, default is Undefined, optional + Specifies the PEM encoded certificate. May optionally append additional CA certificates to populate the whole chain, which will then enable returning the full chain from issue and sign operations. The certificate. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + backend?: str + + certificate?: str + + namespace?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatus: + r""" + SecretBackendIntermediateSetSignedStatus defines the observed state of SecretBackendIntermediateSetSigned. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend intermediate set signed status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + certificate : str, default is Undefined, optional + Specifies the PEM encoded certificate. May optionally append additional CA certificates to populate the whole chain, which will then enable returning the full chain from issue and sign operations. The certificate. + id : str, default is Undefined, optional + id + importedIssuers : [str], default is Undefined, optional + The imported issuers indicating which issuers were created as part of this request. The imported issuers. + importedKeys : [str], default is Undefined, optional + The imported keys indicating which keys were created as part of this request. The imported keys. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + backend?: str + + certificate?: str + + id?: str + + importedIssuers?: [str] + + importedKeys?: [str] + + namespace?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendIntermediateSetSignedStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_role.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_role.k new file mode 100644 index 00000000..5e2e7ab8 --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_role.k @@ -0,0 +1,949 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRole: + r""" + SecretBackendRole is the Schema for the SecretBackendRoles API. Create a role on an PKI Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRole" = "SecretBackendRole" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendRoleStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpec: + r""" + SecretBackendRoleSpec defines the desired state of SecretBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend role spec for provider + + Attributes + ---------- + allowAnyName : bool, default is Undefined, optional + Flag to allow any name Flag to allow any name + allowBareDomains : bool, default is Undefined, optional + Flag to allow certificates matching the actual domain Flag to allow certificates matching the actual domain. + allowGlobDomains : bool, default is Undefined, optional + Flag to allow names containing glob patterns. Flag to allow names containing glob patterns. + allowIpSans : bool, default is Undefined, optional + Flag to allow IP SANs Flag to allow IP SANs + allowLocalhost : bool, default is Undefined, optional + Flag to allow certificates for localhost Flag to allow certificates for localhost. + allowSubdomains : bool, default is Undefined, optional + Flag to allow certificates matching subdomains Flag to allow certificates matching subdomains. + allowWildcardCertificates : bool, default is Undefined, optional + Flag to allow wildcard certificates. Flag to allow wildcard certificates + allowedDomains : [str], default is Undefined, optional + List of allowed domains for certificates The domains of the role. + allowedDomainsTemplate : bool, default is Undefined, optional + Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + allowedOtherSans : [str], default is Undefined, optional + Defines allowed custom SANs Defines allowed custom SANs + allowedSerialNumbers : [str], default is Undefined, optional + An array of allowed serial numbers to put in Subject Defines allowed Subject serial numbers. + allowedUriSans : [str], default is Undefined, optional + Defines allowed URI SANs Defines allowed URI SANs + allowedUriSansTemplate : bool, default is Undefined, optional + Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + allowedUserIds : [str], default is Undefined, optional + Defines allowed User IDs The allowed User ID's. + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + basicConstraintsValidForNonCa : bool, default is Undefined, optional + Flag to mark basic constraints valid when issuing non-CA certificates Flag to mark basic constraints valid when issuing non-CA certificates. + clientFlag : bool, default is Undefined, optional + Flag to specify certificates for client use Flag to specify certificates for client use. + codeSigningFlag : bool, default is Undefined, optional + Flag to specify certificates for code signing use Flag to specify certificates for code signing use. + country : [str], default is Undefined, optional + The country of generated certificates The country of generated certificates. + emailProtectionFlag : bool, default is Undefined, optional + Flag to specify certificates for email protection use Flag to specify certificates for email protection use. + enforceHostnames : bool, default is Undefined, optional + Flag to allow only valid host names Flag to allow only valid host names + extKeyUsage : [str], default is Undefined, optional + Specify the allowed extended key usage constraint on issued certificates Specify the allowed extended key usage constraint on issued certificates. + extKeyUsageOids : [str], default is Undefined, optional + Specify the allowed extended key usage OIDs constraint on issued certificates A list of extended key usage OIDs. + generateLease : bool, default is Undefined, optional + Flag to generate leases with certificates Flag to generate leases with certificates. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value. Specifies the default issuer of this request. + keyBits : float, default is Undefined, optional + The number of bits of generated keys The number of bits of generated keys. + keyType : str, default is Undefined, optional + The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa The generated key type. + keyUsage : [str], default is Undefined, optional + Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list []. Specify the allowed key usage constraint on issued certificates. + locality : [str], default is Undefined, optional + The locality of generated certificates The locality of generated certificates. + maxTtl : str, default is Undefined, optional + The maximum lease TTL, in seconds, for the role. The maximum TTL. + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + noStore : bool, default is Undefined, optional + Flag to not store certificates in the storage backend Flag to not store certificates in the storage backend. + notBeforeDuration : str, default is Undefined, optional + Specifies the duration by which to backdate the NotBefore property. Specifies the duration by which to backdate the NotBefore property. + organization : [str], default is Undefined, optional + The organization of generated certificates The organization of generated certificates. + ou : [str], default is Undefined, optional + The organization unit of generated certificates The organization unit of generated certificates. + policyIdentifier : [PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderPolicyIdentifierItems0], default is Undefined, optional + (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments: Policy identifier block; can only be used with Vault 1.11+ + policyIdentifiers : [str], default is Undefined, optional + Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead Specify the list of allowed policies OIDs. + postalCode : [str], default is Undefined, optional + The postal code of generated certificates The postal code of generated certificates. + province : [str], default is Undefined, optional + The province of generated certificates The province of generated certificates. + requireCn : bool, default is Undefined, optional + Flag to force CN usage Flag to force CN usage. + serverFlag : bool, default is Undefined, optional + Flag to specify certificates for server use Flag to specify certificates for server use. + streetAddress : [str], default is Undefined, optional + The street address of generated certificates The street address of generated certificates. + ttl : str, default is Undefined, optional + The TTL, in seconds, for any certificate issued against this role. The TTL. + useCsrCommonName : bool, default is Undefined, optional + Flag to use the CN in the CSR Flag to use the CN in the CSR. + useCsrSans : bool, default is Undefined, optional + Flag to use the SANs in the CSR Flag to use the SANs in the CSR. + """ + + + allowAnyName?: bool + + allowBareDomains?: bool + + allowGlobDomains?: bool + + allowIpSans?: bool + + allowLocalhost?: bool + + allowSubdomains?: bool + + allowWildcardCertificates?: bool + + allowedDomains?: [str] + + allowedDomainsTemplate?: bool + + allowedOtherSans?: [str] + + allowedSerialNumbers?: [str] + + allowedUriSans?: [str] + + allowedUriSansTemplate?: bool + + allowedUserIds?: [str] + + backend?: str + + basicConstraintsValidForNonCa?: bool + + clientFlag?: bool + + codeSigningFlag?: bool + + country?: [str] + + emailProtectionFlag?: bool + + enforceHostnames?: bool + + extKeyUsage?: [str] + + extKeyUsageOids?: [str] + + generateLease?: bool + + issuerRef?: str + + keyBits?: float + + keyType?: str + + keyUsage?: [str] + + locality?: [str] + + maxTtl?: str + + name?: str + + namespace?: str + + noStore?: bool + + notBeforeDuration?: str + + organization?: [str] + + ou?: [str] + + policyIdentifier?: [PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderPolicyIdentifierItems0] + + policyIdentifiers?: [str] + + postalCode?: [str] + + province?: [str] + + requireCn?: bool + + serverFlag?: bool + + streetAddress?: [str] + + ttl?: str + + useCsrCommonName?: bool + + useCsrSans?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderPolicyIdentifierItems0: + r""" + pki vault upbound io v1alpha1 secret backend role spec for provider policy identifier items0 + + Attributes + ---------- + cps : str, default is Undefined, optional + The URL of the CPS for the policy identifier Optional CPS URL + notice : str, default is Undefined, optional + A notice for the policy identifier Optional notice + oid : str, default is Undefined, optional + The OID for the policy identifier OID + """ + + + cps?: str + + notice?: str + + oid?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowAnyName : bool, default is Undefined, optional + Flag to allow any name Flag to allow any name + allowBareDomains : bool, default is Undefined, optional + Flag to allow certificates matching the actual domain Flag to allow certificates matching the actual domain. + allowGlobDomains : bool, default is Undefined, optional + Flag to allow names containing glob patterns. Flag to allow names containing glob patterns. + allowIpSans : bool, default is Undefined, optional + Flag to allow IP SANs Flag to allow IP SANs + allowLocalhost : bool, default is Undefined, optional + Flag to allow certificates for localhost Flag to allow certificates for localhost. + allowSubdomains : bool, default is Undefined, optional + Flag to allow certificates matching subdomains Flag to allow certificates matching subdomains. + allowWildcardCertificates : bool, default is Undefined, optional + Flag to allow wildcard certificates. Flag to allow wildcard certificates + allowedDomains : [str], default is Undefined, optional + List of allowed domains for certificates The domains of the role. + allowedDomainsTemplate : bool, default is Undefined, optional + Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + allowedOtherSans : [str], default is Undefined, optional + Defines allowed custom SANs Defines allowed custom SANs + allowedSerialNumbers : [str], default is Undefined, optional + An array of allowed serial numbers to put in Subject Defines allowed Subject serial numbers. + allowedUriSans : [str], default is Undefined, optional + Defines allowed URI SANs Defines allowed URI SANs + allowedUriSansTemplate : bool, default is Undefined, optional + Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + allowedUserIds : [str], default is Undefined, optional + Defines allowed User IDs The allowed User ID's. + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + basicConstraintsValidForNonCa : bool, default is Undefined, optional + Flag to mark basic constraints valid when issuing non-CA certificates Flag to mark basic constraints valid when issuing non-CA certificates. + clientFlag : bool, default is Undefined, optional + Flag to specify certificates for client use Flag to specify certificates for client use. + codeSigningFlag : bool, default is Undefined, optional + Flag to specify certificates for code signing use Flag to specify certificates for code signing use. + country : [str], default is Undefined, optional + The country of generated certificates The country of generated certificates. + emailProtectionFlag : bool, default is Undefined, optional + Flag to specify certificates for email protection use Flag to specify certificates for email protection use. + enforceHostnames : bool, default is Undefined, optional + Flag to allow only valid host names Flag to allow only valid host names + extKeyUsage : [str], default is Undefined, optional + Specify the allowed extended key usage constraint on issued certificates Specify the allowed extended key usage constraint on issued certificates. + extKeyUsageOids : [str], default is Undefined, optional + Specify the allowed extended key usage OIDs constraint on issued certificates A list of extended key usage OIDs. + generateLease : bool, default is Undefined, optional + Flag to generate leases with certificates Flag to generate leases with certificates. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value. Specifies the default issuer of this request. + keyBits : float, default is Undefined, optional + The number of bits of generated keys The number of bits of generated keys. + keyType : str, default is Undefined, optional + The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa The generated key type. + keyUsage : [str], default is Undefined, optional + Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list []. Specify the allowed key usage constraint on issued certificates. + locality : [str], default is Undefined, optional + The locality of generated certificates The locality of generated certificates. + maxTtl : str, default is Undefined, optional + The maximum lease TTL, in seconds, for the role. The maximum TTL. + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + noStore : bool, default is Undefined, optional + Flag to not store certificates in the storage backend Flag to not store certificates in the storage backend. + notBeforeDuration : str, default is Undefined, optional + Specifies the duration by which to backdate the NotBefore property. Specifies the duration by which to backdate the NotBefore property. + organization : [str], default is Undefined, optional + The organization of generated certificates The organization of generated certificates. + ou : [str], default is Undefined, optional + The organization unit of generated certificates The organization unit of generated certificates. + policyIdentifier : [PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderPolicyIdentifierItems0], default is Undefined, optional + (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments: Policy identifier block; can only be used with Vault 1.11+ + policyIdentifiers : [str], default is Undefined, optional + Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead Specify the list of allowed policies OIDs. + postalCode : [str], default is Undefined, optional + The postal code of generated certificates The postal code of generated certificates. + province : [str], default is Undefined, optional + The province of generated certificates The province of generated certificates. + requireCn : bool, default is Undefined, optional + Flag to force CN usage Flag to force CN usage. + serverFlag : bool, default is Undefined, optional + Flag to specify certificates for server use Flag to specify certificates for server use. + streetAddress : [str], default is Undefined, optional + The street address of generated certificates The street address of generated certificates. + ttl : str, default is Undefined, optional + The TTL, in seconds, for any certificate issued against this role. The TTL. + useCsrCommonName : bool, default is Undefined, optional + Flag to use the CN in the CSR Flag to use the CN in the CSR. + useCsrSans : bool, default is Undefined, optional + Flag to use the SANs in the CSR Flag to use the SANs in the CSR. + """ + + + allowAnyName?: bool + + allowBareDomains?: bool + + allowGlobDomains?: bool + + allowIpSans?: bool + + allowLocalhost?: bool + + allowSubdomains?: bool + + allowWildcardCertificates?: bool + + allowedDomains?: [str] + + allowedDomainsTemplate?: bool + + allowedOtherSans?: [str] + + allowedSerialNumbers?: [str] + + allowedUriSans?: [str] + + allowedUriSansTemplate?: bool + + allowedUserIds?: [str] + + backend?: str + + basicConstraintsValidForNonCa?: bool + + clientFlag?: bool + + codeSigningFlag?: bool + + country?: [str] + + emailProtectionFlag?: bool + + enforceHostnames?: bool + + extKeyUsage?: [str] + + extKeyUsageOids?: [str] + + generateLease?: bool + + issuerRef?: str + + keyBits?: float + + keyType?: str + + keyUsage?: [str] + + locality?: [str] + + maxTtl?: str + + name?: str + + namespace?: str + + noStore?: bool + + notBeforeDuration?: str + + organization?: [str] + + ou?: [str] + + policyIdentifier?: [PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderPolicyIdentifierItems0] + + policyIdentifiers?: [str] + + postalCode?: [str] + + province?: [str] + + requireCn?: bool + + serverFlag?: bool + + streetAddress?: [str] + + ttl?: str + + useCsrCommonName?: bool + + useCsrSans?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderPolicyIdentifierItems0: + r""" + pki vault upbound io v1alpha1 secret backend role spec init provider policy identifier items0 + + Attributes + ---------- + cps : str, default is Undefined, optional + The URL of the CPS for the policy identifier Optional CPS URL + notice : str, default is Undefined, optional + A notice for the policy identifier Optional notice + oid : str, default is Undefined, optional + The OID for the policy identifier OID + """ + + + cps?: str + + notice?: str + + oid?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleStatus: + r""" + SecretBackendRoleStatus defines the observed state of SecretBackendRole. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend role status at provider + + Attributes + ---------- + allowAnyName : bool, default is Undefined, optional + Flag to allow any name Flag to allow any name + allowBareDomains : bool, default is Undefined, optional + Flag to allow certificates matching the actual domain Flag to allow certificates matching the actual domain. + allowGlobDomains : bool, default is Undefined, optional + Flag to allow names containing glob patterns. Flag to allow names containing glob patterns. + allowIpSans : bool, default is Undefined, optional + Flag to allow IP SANs Flag to allow IP SANs + allowLocalhost : bool, default is Undefined, optional + Flag to allow certificates for localhost Flag to allow certificates for localhost. + allowSubdomains : bool, default is Undefined, optional + Flag to allow certificates matching subdomains Flag to allow certificates matching subdomains. + allowWildcardCertificates : bool, default is Undefined, optional + Flag to allow wildcard certificates. Flag to allow wildcard certificates + allowedDomains : [str], default is Undefined, optional + List of allowed domains for certificates The domains of the role. + allowedDomainsTemplate : bool, default is Undefined, optional + Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_domains` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + allowedOtherSans : [str], default is Undefined, optional + Defines allowed custom SANs Defines allowed custom SANs + allowedSerialNumbers : [str], default is Undefined, optional + An array of allowed serial numbers to put in Subject Defines allowed Subject serial numbers. + allowedUriSans : [str], default is Undefined, optional + Defines allowed URI SANs Defines allowed URI SANs + allowedUriSansTemplate : bool, default is Undefined, optional + Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases..name}}. Flag to indicate that `allowed_uri_sans` specifies a template expression (e.g. {{identity.entity.aliases..name}}) + allowedUserIds : [str], default is Undefined, optional + Defines allowed User IDs The allowed User ID's. + backend : str, default is Undefined, optional + The path the PKI secret backend is mounted at, with no leading or trailing /s. The path of the PKI secret backend the resource belongs to. + basicConstraintsValidForNonCa : bool, default is Undefined, optional + Flag to mark basic constraints valid when issuing non-CA certificates Flag to mark basic constraints valid when issuing non-CA certificates. + clientFlag : bool, default is Undefined, optional + Flag to specify certificates for client use Flag to specify certificates for client use. + codeSigningFlag : bool, default is Undefined, optional + Flag to specify certificates for code signing use Flag to specify certificates for code signing use. + country : [str], default is Undefined, optional + The country of generated certificates The country of generated certificates. + emailProtectionFlag : bool, default is Undefined, optional + Flag to specify certificates for email protection use Flag to specify certificates for email protection use. + enforceHostnames : bool, default is Undefined, optional + Flag to allow only valid host names Flag to allow only valid host names + extKeyUsage : [str], default is Undefined, optional + Specify the allowed extended key usage constraint on issued certificates Specify the allowed extended key usage constraint on issued certificates. + extKeyUsageOids : [str], default is Undefined, optional + Specify the allowed extended key usage OIDs constraint on issued certificates A list of extended key usage OIDs. + generateLease : bool, default is Undefined, optional + Flag to generate leases with certificates Flag to generate leases with certificates. + id : str, default is Undefined, optional + id + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value. Specifies the default issuer of this request. + keyBits : float, default is Undefined, optional + The number of bits of generated keys The number of bits of generated keys. + keyType : str, default is Undefined, optional + The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa The generated key type. + keyUsage : [str], default is Undefined, optional + Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list []. Specify the allowed key usage constraint on issued certificates. + locality : [str], default is Undefined, optional + The locality of generated certificates The locality of generated certificates. + maxTtl : str, default is Undefined, optional + The maximum lease TTL, in seconds, for the role. The maximum TTL. + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + noStore : bool, default is Undefined, optional + Flag to not store certificates in the storage backend Flag to not store certificates in the storage backend. + notBeforeDuration : str, default is Undefined, optional + Specifies the duration by which to backdate the NotBefore property. Specifies the duration by which to backdate the NotBefore property. + organization : [str], default is Undefined, optional + The organization of generated certificates The organization of generated certificates. + ou : [str], default is Undefined, optional + The organization unit of generated certificates The organization unit of generated certificates. + policyIdentifier : [PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderPolicyIdentifierItems0], default is Undefined, optional + (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments: Policy identifier block; can only be used with Vault 1.11+ + policyIdentifiers : [str], default is Undefined, optional + Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead Specify the list of allowed policies OIDs. + postalCode : [str], default is Undefined, optional + The postal code of generated certificates The postal code of generated certificates. + province : [str], default is Undefined, optional + The province of generated certificates The province of generated certificates. + requireCn : bool, default is Undefined, optional + Flag to force CN usage Flag to force CN usage. + serverFlag : bool, default is Undefined, optional + Flag to specify certificates for server use Flag to specify certificates for server use. + streetAddress : [str], default is Undefined, optional + The street address of generated certificates The street address of generated certificates. + ttl : str, default is Undefined, optional + The TTL, in seconds, for any certificate issued against this role. The TTL. + useCsrCommonName : bool, default is Undefined, optional + Flag to use the CN in the CSR Flag to use the CN in the CSR. + useCsrSans : bool, default is Undefined, optional + Flag to use the SANs in the CSR Flag to use the SANs in the CSR. + """ + + + allowAnyName?: bool + + allowBareDomains?: bool + + allowGlobDomains?: bool + + allowIpSans?: bool + + allowLocalhost?: bool + + allowSubdomains?: bool + + allowWildcardCertificates?: bool + + allowedDomains?: [str] + + allowedDomainsTemplate?: bool + + allowedOtherSans?: [str] + + allowedSerialNumbers?: [str] + + allowedUriSans?: [str] + + allowedUriSansTemplate?: bool + + allowedUserIds?: [str] + + backend?: str + + basicConstraintsValidForNonCa?: bool + + clientFlag?: bool + + codeSigningFlag?: bool + + country?: [str] + + emailProtectionFlag?: bool + + enforceHostnames?: bool + + extKeyUsage?: [str] + + extKeyUsageOids?: [str] + + generateLease?: bool + + id?: str + + issuerRef?: str + + keyBits?: float + + keyType?: str + + keyUsage?: [str] + + locality?: [str] + + maxTtl?: str + + name?: str + + namespace?: str + + noStore?: bool + + notBeforeDuration?: str + + organization?: [str] + + ou?: [str] + + policyIdentifier?: [PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderPolicyIdentifierItems0] + + policyIdentifiers?: [str] + + postalCode?: [str] + + province?: [str] + + requireCn?: bool + + serverFlag?: bool + + streetAddress?: [str] + + ttl?: str + + useCsrCommonName?: bool + + useCsrSans?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderPolicyIdentifierItems0: + r""" + pki vault upbound io v1alpha1 secret backend role status at provider policy identifier items0 + + Attributes + ---------- + cps : str, default is Undefined, optional + The URL of the CPS for the policy identifier Optional CPS URL + notice : str, default is Undefined, optional + A notice for the policy identifier Optional notice + oid : str, default is Undefined, optional + The OID for the policy identifier OID + """ + + + cps?: str + + notice?: str + + oid?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_root_cert.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_root_cert.k new file mode 100644 index 00000000..b650068e --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_root_cert.k @@ -0,0 +1,691 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRootCert: + r""" + SecretBackendRootCert is the Schema for the SecretBackendRootCerts API. Generate root. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRootCert", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRootCert" = "SecretBackendRootCert" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpec: + r""" + SecretBackendRootCertSpec defines the desired state of SecretBackendRootCert + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend root cert spec for provider + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of intermediate to create CN of root to create. + country : str, default is Undefined, optional + The country The country. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerName : str, default is Undefined, optional + Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. + keyBits : float, default is Undefined, optional + The number of bits to use The number of bits to use. + keyName : str, default is Undefined, optional + When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name. When a new key is created with this request, optionally specifies the name for this. + keyRef : str, default is Undefined, optional + Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests. Specifies the key to use for generating this request. + keyType : str, default is Undefined, optional + The desired key type The desired key type. + locality : str, default is Undefined, optional + The locality The locality. + managedKeyId : str, default is Undefined, optional + The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_name The ID of the previously configured managed key. + managedKeyName : str, default is Undefined, optional + The name of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_id The name of the previously configured managed key. + maxPathLength : float, default is Undefined, optional + The maximum path length to encode in the generated certificate The maximum path length to encode in the generated certificate. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization The organization. + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + ou : str, default is Undefined, optional + The organization unit The organization unit. + permittedDnsDomains : [str], default is Undefined, optional + List of domains for which certificates are allowed to be issued List of domains for which certificates are allowed to be issued. + postalCode : str, default is Undefined, optional + The postal code The postal code. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + province : str, default is Undefined, optional + The province The province. + streetAddress : str, default is Undefined, optional + The street address The street address. + ttl : str, default is Undefined, optional + Time to live Time to live. + $type : str, default is Undefined, optional + Type of intermediate to create. Must be either "exported", "internal" or "kms" Type of root to create. Must be either "existing", "exported", "internal" or "kms" + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + altNames?: [str] + + backend?: str + + commonName?: str + + country?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + issuerName?: str + + keyBits?: float + + keyName?: str + + keyRef?: str + + keyType?: str + + locality?: str + + managedKeyId?: str + + managedKeyName?: str + + maxPathLength?: float + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + permittedDnsDomains?: [str] + + postalCode?: str + + privateKeyFormat?: str + + province?: str + + streetAddress?: str + + ttl?: str + + $type?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of intermediate to create CN of root to create. + country : str, default is Undefined, optional + The country The country. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerName : str, default is Undefined, optional + Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. + keyBits : float, default is Undefined, optional + The number of bits to use The number of bits to use. + keyName : str, default is Undefined, optional + When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name. When a new key is created with this request, optionally specifies the name for this. + keyRef : str, default is Undefined, optional + Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests. Specifies the key to use for generating this request. + keyType : str, default is Undefined, optional + The desired key type The desired key type. + locality : str, default is Undefined, optional + The locality The locality. + managedKeyId : str, default is Undefined, optional + The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_name The ID of the previously configured managed key. + managedKeyName : str, default is Undefined, optional + The name of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_id The name of the previously configured managed key. + maxPathLength : float, default is Undefined, optional + The maximum path length to encode in the generated certificate The maximum path length to encode in the generated certificate. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization The organization. + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + ou : str, default is Undefined, optional + The organization unit The organization unit. + permittedDnsDomains : [str], default is Undefined, optional + List of domains for which certificates are allowed to be issued List of domains for which certificates are allowed to be issued. + postalCode : str, default is Undefined, optional + The postal code The postal code. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + province : str, default is Undefined, optional + The province The province. + streetAddress : str, default is Undefined, optional + The street address The street address. + ttl : str, default is Undefined, optional + Time to live Time to live. + $type : str, default is Undefined, optional + Type of intermediate to create. Must be either "exported", "internal" or "kms" Type of root to create. Must be either "existing", "exported", "internal" or "kms" + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + altNames?: [str] + + backend?: str + + commonName?: str + + country?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + issuerName?: str + + keyBits?: float + + keyName?: str + + keyRef?: str + + keyType?: str + + locality?: str + + managedKeyId?: str + + managedKeyName?: str + + maxPathLength?: float + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + permittedDnsDomains?: [str] + + postalCode?: str + + privateKeyFormat?: str + + province?: str + + streetAddress?: str + + ttl?: str + + $type?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatus: + r""" + SecretBackendRootCertStatus defines the observed state of SecretBackendRootCert. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend root cert status at provider + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + certificate : str, default is Undefined, optional + The certificate. The certificate. + commonName : str, default is Undefined, optional + CN of intermediate to create CN of root to create. + country : str, default is Undefined, optional + The country The country. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + id : str, default is Undefined, optional + id + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerId : str, default is Undefined, optional + The ID of the generated issuer. The ID of the generated issuer. + issuerName : str, default is Undefined, optional + Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value default Provides a name to the specified issuer. The name must be unique across all issuers and not be the reserved value 'default'. + issuingCa : str, default is Undefined, optional + The issuing CA certificate. The issuing CA. + keyBits : float, default is Undefined, optional + The number of bits to use The number of bits to use. + keyId : str, default is Undefined, optional + The ID of the generated key. The ID of the generated key. + keyName : str, default is Undefined, optional + When a new key is created with this request, optionally specifies the name for this. The global ref default may not be used as a name. When a new key is created with this request, optionally specifies the name for this. + keyRef : str, default is Undefined, optional + Specifies the key (either default, by name, or by identifier) to use for generating this request. Only suitable for type=existing requests. Specifies the key to use for generating this request. + keyType : str, default is Undefined, optional + The desired key type The desired key type. + locality : str, default is Undefined, optional + The locality The locality. + managedKeyId : str, default is Undefined, optional + The ID of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_name The ID of the previously configured managed key. + managedKeyName : str, default is Undefined, optional + The name of the previously configured managed key. This field is required if type is kms and it conflicts with managed_key_id The name of the previously configured managed key. + maxPathLength : float, default is Undefined, optional + The maximum path length to encode in the generated certificate The maximum path length to encode in the generated certificate. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization The organization. + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + ou : str, default is Undefined, optional + The organization unit The organization unit. + permittedDnsDomains : [str], default is Undefined, optional + List of domains for which certificates are allowed to be issued List of domains for which certificates are allowed to be issued. + postalCode : str, default is Undefined, optional + The postal code The postal code. + privateKeyFormat : str, default is Undefined, optional + The private key format The private key format. + province : str, default is Undefined, optional + The province The province. + serial : str, default is Undefined, optional + Deprecated, use serial_number instead. The serial number. + serialNumber : str, default is Undefined, optional + The certificate's serial number, hex formatted. The certificate's serial number, hex formatted. + streetAddress : str, default is Undefined, optional + The street address The street address. + ttl : str, default is Undefined, optional + Time to live Time to live. + $type : str, default is Undefined, optional + Type of intermediate to create. Must be either "exported", "internal" or "kms" Type of root to create. Must be either "existing", "exported", "internal" or "kms" + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + altNames?: [str] + + backend?: str + + certificate?: str + + commonName?: str + + country?: str + + excludeCnFromSans?: bool + + format?: str + + id?: str + + ipSans?: [str] + + issuerId?: str + + issuerName?: str + + issuingCa?: str + + keyBits?: float + + keyId?: str + + keyName?: str + + keyRef?: str + + keyType?: str + + locality?: str + + managedKeyId?: str + + managedKeyName?: str + + maxPathLength?: float + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + permittedDnsDomains?: [str] + + postalCode?: str + + privateKeyFormat?: str + + province?: str + + serial?: str + + serialNumber?: str + + streetAddress?: str + + ttl?: str + + $type?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootCertStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_root_sign_intermediate.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_root_sign_intermediate.k new file mode 100644 index 00000000..f0c9b70d --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_root_sign_intermediate.k @@ -0,0 +1,631 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRootSignIntermediate: + r""" + SecretBackendRootSignIntermediate is the Schema for the SecretBackendRootSignIntermediates API. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRootSignIntermediate", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRootSignIntermediate" = "SecretBackendRootSignIntermediate" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpec: + r""" + SecretBackendRootSignIntermediateSpec defines the desired state of SecretBackendRootSignIntermediate + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend root sign intermediate spec for provider + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of intermediate to create. + country : str, default is Undefined, optional + The country. + csr : str, default is Undefined, optional + The CSR. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. + locality : str, default is Undefined, optional + The locality. + maxPathLength : float, default is Undefined, optional + The maximum path length to encode in the generated certificate. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization. + otherSans : [str], default is Undefined, optional + List of other SANs. + ou : str, default is Undefined, optional + The organization unit. + permittedDnsDomains : [str], default is Undefined, optional + List of domains for which certificates are allowed to be issued. + postalCode : str, default is Undefined, optional + The postal code. + province : str, default is Undefined, optional + The province. + revoke : bool, default is Undefined, optional + Revoke the certificate upon resource destruction. + streetAddress : str, default is Undefined, optional + The street address. + ttl : str, default is Undefined, optional + Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs. + useCsrValues : bool, default is Undefined, optional + Preserve CSR values. + """ + + + altNames?: [str] + + backend?: str + + commonName?: str + + country?: str + + csr?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + issuerRef?: str + + locality?: str + + maxPathLength?: float + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + permittedDnsDomains?: [str] + + postalCode?: str + + province?: str + + revoke?: bool + + streetAddress?: str + + ttl?: str + + uriSans?: [str] + + useCsrValues?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of intermediate to create. + country : str, default is Undefined, optional + The country. + csr : str, default is Undefined, optional + The CSR. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. + locality : str, default is Undefined, optional + The locality. + maxPathLength : float, default is Undefined, optional + The maximum path length to encode in the generated certificate. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization. + otherSans : [str], default is Undefined, optional + List of other SANs. + ou : str, default is Undefined, optional + The organization unit. + permittedDnsDomains : [str], default is Undefined, optional + List of domains for which certificates are allowed to be issued. + postalCode : str, default is Undefined, optional + The postal code. + province : str, default is Undefined, optional + The province. + revoke : bool, default is Undefined, optional + Revoke the certificate upon resource destruction. + streetAddress : str, default is Undefined, optional + The street address. + ttl : str, default is Undefined, optional + Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs. + useCsrValues : bool, default is Undefined, optional + Preserve CSR values. + """ + + + altNames?: [str] + + backend?: str + + commonName?: str + + country?: str + + csr?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + issuerRef?: str + + locality?: str + + maxPathLength?: float + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + permittedDnsDomains?: [str] + + postalCode?: str + + province?: str + + revoke?: bool + + streetAddress?: str + + ttl?: str + + uriSans?: [str] + + useCsrValues?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatus: + r""" + SecretBackendRootSignIntermediateStatus defines the observed state of SecretBackendRootSignIntermediate. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend root sign intermediate status at provider + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names. + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. + caChain : [str], default is Undefined, optional + The CA chain as a list of format specific certificates + certificate : str, default is Undefined, optional + The signed intermediate CA certificate. + certificateBundle : str, default is Undefined, optional + The concatenation of the intermediate and issuing CA certificates (PEM encoded). Requires the format to be set to any of: pem, pem_bundle. The value will be empty for all other formats. + commonName : str, default is Undefined, optional + CN of intermediate to create. + country : str, default is Undefined, optional + The country. + csr : str, default is Undefined, optional + The CSR. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data. + id : str, default is Undefined, optional + id + ipSans : [str], default is Undefined, optional + List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. + issuingCa : str, default is Undefined, optional + The issuing CA certificate. + locality : str, default is Undefined, optional + The locality. + maxPathLength : float, default is Undefined, optional + The maximum path length to encode in the generated certificate. + namespace : str, default is Undefined, optional + Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization. + otherSans : [str], default is Undefined, optional + List of other SANs. + ou : str, default is Undefined, optional + The organization unit. + permittedDnsDomains : [str], default is Undefined, optional + List of domains for which certificates are allowed to be issued. + postalCode : str, default is Undefined, optional + The postal code. + province : str, default is Undefined, optional + The province. + revoke : bool, default is Undefined, optional + Revoke the certificate upon resource destruction. + serial : str, default is Undefined, optional + The serial number. + serialNumber : str, default is Undefined, optional + The certificate's serial number, hex formatted. + streetAddress : str, default is Undefined, optional + The street address. + ttl : str, default is Undefined, optional + Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs. + useCsrValues : bool, default is Undefined, optional + Preserve CSR values. + """ + + + altNames?: [str] + + backend?: str + + caChain?: [str] + + certificate?: str + + certificateBundle?: str + + commonName?: str + + country?: str + + csr?: str + + excludeCnFromSans?: bool + + format?: str + + id?: str + + ipSans?: [str] + + issuerRef?: str + + issuingCa?: str + + locality?: str + + maxPathLength?: float + + namespace?: str + + organization?: str + + otherSans?: [str] + + ou?: str + + permittedDnsDomains?: [str] + + postalCode?: str + + province?: str + + revoke?: bool + + serial?: str + + serialNumber?: str + + streetAddress?: str + + ttl?: str + + uriSans?: [str] + + useCsrValues?: bool + + +schema PkiVaultUpboundIoV1alpha1SecretBackendRootSignIntermediateStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_sign.k b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_sign.k new file mode 100644 index 00000000..bd7ab42b --- /dev/null +++ b/crossplane-provider-vault/pki/v1alpha1/pki_vault_upbound_io_v1alpha1_secret_backend_sign.k @@ -0,0 +1,539 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendSign: + r""" + SecretBackendSign is the Schema for the SecretBackendSigns API. Sign a new certificate based on the CSR by the PKI. + + Attributes + ---------- + apiVersion : str, default is "pki.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendSign", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : PkiVaultUpboundIoV1alpha1SecretBackendSignSpec, default is Undefined, required + spec + status : PkiVaultUpboundIoV1alpha1SecretBackendSignStatus, default is Undefined, optional + status + """ + + + apiVersion: "pki.vault.upbound.io/v1alpha1" = "pki.vault.upbound.io/v1alpha1" + + kind: "SecretBackendSign" = "SecretBackendSign" + + metadata?: v1.ObjectMeta + + spec: PkiVaultUpboundIoV1alpha1SecretBackendSignSpec + + status?: PkiVaultUpboundIoV1alpha1SecretBackendSignStatus + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpec: + r""" + SecretBackendSignSpec defines the desired state of SecretBackendSign + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecForProvider, default is Undefined, required + for provider + initProvider : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecForProvider + + initProvider?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderConfigRef + + providerRef?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderRef + + publishConnectionDetailsTo?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecWriteConnectionSecretToRef + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecForProvider: + r""" + pki vault upbound io v1alpha1 secret backend sign spec for provider + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + autoRenew : bool, default is Undefined, optional + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of certificate to create CN of intermediate to create. + csr : str, default is Undefined, optional + The CSR The CSR. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. Can be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value. Specifies the default issuer of this request. + minSecondsRemaining : float, default is Undefined, optional + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate a new certificate when the expiration is within this number of seconds + name : str, default is Undefined, optional + Name of the role to create the certificate against Name of the role to create the certificate against. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + ttl : str, default is Undefined, optional + Time to live Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + altNames?: [str] + + autoRenew?: bool + + backend?: str + + commonName?: str + + csr?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + issuerRef?: str + + minSecondsRemaining?: float + + name?: str + + namespace?: str + + otherSans?: [str] + + ttl?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + autoRenew : bool, default is Undefined, optional + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + commonName : str, default is Undefined, optional + CN of certificate to create CN of intermediate to create. + csr : str, default is Undefined, optional + The CSR The CSR. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + format : str, default is Undefined, optional + The format of data The format of data. + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. Can be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value. Specifies the default issuer of this request. + minSecondsRemaining : float, default is Undefined, optional + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate a new certificate when the expiration is within this number of seconds + name : str, default is Undefined, optional + Name of the role to create the certificate against Name of the role to create the certificate against. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + ttl : str, default is Undefined, optional + Time to live Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + altNames?: [str] + + autoRenew?: bool + + backend?: str + + commonName?: str + + csr?: str + + excludeCnFromSans?: bool + + format?: str + + ipSans?: [str] + + issuerRef?: str + + minSecondsRemaining?: float + + name?: str + + namespace?: str + + otherSans?: [str] + + ttl?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToConfigRef + + metadata?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToMetadata + + name: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToConfigRefPolicy + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignStatus: + r""" + SecretBackendSignStatus defines the observed state of SecretBackendSign. + + Attributes + ---------- + atProvider : PkiVaultUpboundIoV1alpha1SecretBackendSignStatusAtProvider, default is Undefined, optional + at provider + conditions : [PkiVaultUpboundIoV1alpha1SecretBackendSignStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: PkiVaultUpboundIoV1alpha1SecretBackendSignStatusAtProvider + + conditions?: [PkiVaultUpboundIoV1alpha1SecretBackendSignStatusConditionsItems0] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignStatusAtProvider: + r""" + pki vault upbound io v1alpha1 secret backend sign status at provider + + Attributes + ---------- + altNames : [str], default is Undefined, optional + List of alternative names List of alternative names. + autoRenew : bool, default is Undefined, optional + If set to true, certs will be renewed if the expiration is within min_seconds_remaining. Default false If enabled, a new certificate will be generated if the expiration is within min_seconds_remaining + backend : str, default is Undefined, optional + The PKI secret backend the resource belongs to. The PKI secret backend the resource belongs to. + caChain : [str], default is Undefined, optional + The CA chain The CA chain. + certificate : str, default is Undefined, optional + The certificate The certicate. + commonName : str, default is Undefined, optional + CN of certificate to create CN of intermediate to create. + csr : str, default is Undefined, optional + The CSR The CSR. + excludeCnFromSans : bool, default is Undefined, optional + Flag to exclude CN from SANs Flag to exclude CN from SANs. + expiration : float, default is Undefined, optional + The expiration date of the certificate in unix epoch format The certificate expiration as a Unix-style timestamp. + format : str, default is Undefined, optional + The format of data The format of data. + id : str, default is Undefined, optional + id + ipSans : [str], default is Undefined, optional + List of alternative IPs List of alternative IPs. + issuerRef : str, default is Undefined, optional + Specifies the default issuer of this request. Can be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value. Specifies the default issuer of this request. + issuingCa : str, default is Undefined, optional + The issuing CA The issuing CA. + minSecondsRemaining : float, default is Undefined, optional + Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days) Generate a new certificate when the expiration is within this number of seconds + name : str, default is Undefined, optional + Name of the role to create the certificate against Name of the role to create the certificate against. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + otherSans : [str], default is Undefined, optional + List of other SANs List of other SANs. + renewPending : bool, default is Undefined, optional + true if the current time (during refresh) is after the start of the early renewal window declared by min_seconds_remaining, and false otherwise; if auto_renew is set to true then the provider will plan to replace the certificate once renewal is pending. Initially false, and then set to true during refresh once the expiration is less than min_seconds_remaining in the future. + serial : str, default is Undefined, optional + Use serial_number instead. The serial number. + serialNumber : str, default is Undefined, optional + The certificate's serial number, hex formatted. The certificate's serial number, hex formatted. + ttl : str, default is Undefined, optional + Time to live Time to live. + uriSans : [str], default is Undefined, optional + List of alternative URIs List of alternative URIs. + """ + + + altNames?: [str] + + autoRenew?: bool + + backend?: str + + caChain?: [str] + + certificate?: str + + commonName?: str + + csr?: str + + excludeCnFromSans?: bool + + expiration?: float + + format?: str + + id?: str + + ipSans?: [str] + + issuerRef?: str + + issuingCa?: str + + minSecondsRemaining?: float + + name?: str + + namespace?: str + + otherSans?: [str] + + renewPending?: bool + + serial?: str + + serialNumber?: str + + ttl?: str + + uriSans?: [str] + + +schema PkiVaultUpboundIoV1alpha1SecretBackendSignStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/quota/v1alpha1/quota_vault_upbound_io_v1alpha1_lease_count.k b/crossplane-provider-vault/quota/v1alpha1/quota_vault_upbound_io_v1alpha1_lease_count.k new file mode 100644 index 00000000..31235257 --- /dev/null +++ b/crossplane-provider-vault/quota/v1alpha1/quota_vault_upbound_io_v1alpha1_lease_count.k @@ -0,0 +1,391 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema LeaseCount: + r""" + LeaseCount is the Schema for the LeaseCounts API. Manage Lease Count Quota + + Attributes + ---------- + apiVersion : str, default is "quota.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "LeaseCount", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : QuotaVaultUpboundIoV1alpha1LeaseCountSpec, default is Undefined, required + spec + status : QuotaVaultUpboundIoV1alpha1LeaseCountStatus, default is Undefined, optional + status + """ + + + apiVersion: "quota.vault.upbound.io/v1alpha1" = "quota.vault.upbound.io/v1alpha1" + + kind: "LeaseCount" = "LeaseCount" + + metadata?: v1.ObjectMeta + + spec: QuotaVaultUpboundIoV1alpha1LeaseCountSpec + + status?: QuotaVaultUpboundIoV1alpha1LeaseCountStatus + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpec: + r""" + LeaseCountSpec defines the desired state of LeaseCount + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : QuotaVaultUpboundIoV1alpha1LeaseCountSpecForProvider, default is Undefined, required + for provider + initProvider : QuotaVaultUpboundIoV1alpha1LeaseCountSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : QuotaVaultUpboundIoV1alpha1LeaseCountSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: QuotaVaultUpboundIoV1alpha1LeaseCountSpecForProvider + + initProvider?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderConfigRef + + providerRef?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderRef + + publishConnectionDetailsTo?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecWriteConnectionSecretToRef + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecForProvider: + r""" + quota vault upbound io v1alpha1 lease count spec for provider + + Attributes + ---------- + maxLeases : float, default is Undefined, optional + The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. + name : str, default is Undefined, optional + Name of the rate limit quota The name of the quota. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. Updating this field on an existing quota can have "moving" effects. For example, updating auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to a namespace specific mount quota. Note, namespaces are supported in Enterprise only. Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. + role : str, default is Undefined, optional + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + """ + + + maxLeases?: float + + name?: str + + namespace?: str + + path?: str + + role?: str + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + maxLeases : float, default is Undefined, optional + The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. + name : str, default is Undefined, optional + Name of the rate limit quota The name of the quota. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. Updating this field on an existing quota can have "moving" effects. For example, updating auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to a namespace specific mount quota. Note, namespaces are supported in Enterprise only. Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. + role : str, default is Undefined, optional + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + """ + + + maxLeases?: float + + name?: str + + namespace?: str + + path?: str + + role?: str + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderConfigRefPolicy + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderRefPolicy + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToConfigRef + + metadata?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToMetadata + + name: str + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToConfigRefPolicy + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountStatus: + r""" + LeaseCountStatus defines the observed state of LeaseCount. + + Attributes + ---------- + atProvider : QuotaVaultUpboundIoV1alpha1LeaseCountStatusAtProvider, default is Undefined, optional + at provider + conditions : [QuotaVaultUpboundIoV1alpha1LeaseCountStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: QuotaVaultUpboundIoV1alpha1LeaseCountStatusAtProvider + + conditions?: [QuotaVaultUpboundIoV1alpha1LeaseCountStatusConditionsItems0] + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountStatusAtProvider: + r""" + quota vault upbound io v1alpha1 lease count status at provider + + Attributes + ---------- + id : str, default is Undefined, optional + id + maxLeases : float, default is Undefined, optional + The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. The maximum number of leases to be allowed by the quota rule. The max_leases must be positive. + name : str, default is Undefined, optional + Name of the rate limit quota The name of the quota. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. Updating this field on an existing quota can have "moving" effects. For example, updating auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to a namespace specific mount quota. Note, namespaces are supported in Enterprise only. Path of the mount or namespace to apply the quota. A blank path configures a global lease count quota. + role : str, default is Undefined, optional + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + """ + + + id?: str + + maxLeases?: float + + name?: str + + namespace?: str + + path?: str + + role?: str + + +schema QuotaVaultUpboundIoV1alpha1LeaseCountStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/quota/v1alpha1/quota_vault_upbound_io_v1alpha1_rate_limit.k b/crossplane-provider-vault/quota/v1alpha1/quota_vault_upbound_io_v1alpha1_rate_limit.k new file mode 100644 index 00000000..ad563d7d --- /dev/null +++ b/crossplane-provider-vault/quota/v1alpha1/quota_vault_upbound_io_v1alpha1_rate_limit.k @@ -0,0 +1,415 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema RateLimit: + r""" + RateLimit is the Schema for the RateLimits API. Manage Rate Limit Quota + + Attributes + ---------- + apiVersion : str, default is "quota.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "RateLimit", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : QuotaVaultUpboundIoV1alpha1RateLimitSpec, default is Undefined, required + spec + status : QuotaVaultUpboundIoV1alpha1RateLimitStatus, default is Undefined, optional + status + """ + + + apiVersion: "quota.vault.upbound.io/v1alpha1" = "quota.vault.upbound.io/v1alpha1" + + kind: "RateLimit" = "RateLimit" + + metadata?: v1.ObjectMeta + + spec: QuotaVaultUpboundIoV1alpha1RateLimitSpec + + status?: QuotaVaultUpboundIoV1alpha1RateLimitStatus + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpec: + r""" + RateLimitSpec defines the desired state of RateLimit + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : QuotaVaultUpboundIoV1alpha1RateLimitSpecForProvider, default is Undefined, required + for provider + initProvider : QuotaVaultUpboundIoV1alpha1RateLimitSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : QuotaVaultUpboundIoV1alpha1RateLimitSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: QuotaVaultUpboundIoV1alpha1RateLimitSpecForProvider + + initProvider?: QuotaVaultUpboundIoV1alpha1RateLimitSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderConfigRef + + providerRef?: QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderRef + + publishConnectionDetailsTo?: QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: QuotaVaultUpboundIoV1alpha1RateLimitSpecWriteConnectionSecretToRef + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecForProvider: + r""" + quota vault upbound io v1alpha1 rate limit spec for provider + + Attributes + ---------- + blockInterval : float, default is Undefined, optional + If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. + interval : float, default is Undefined, optional + The duration in seconds to enforce rate limiting for. The duration in seconds to enforce rate limiting for. + name : str, default is Undefined, optional + Name of the rate limit quota The name of the quota. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. Updating this field on an existing quota can have "moving" effects. For example, updating auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to a namespace specific mount quota. Note, namespaces are supported in Enterprise only. Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. + rate : float, default is Undefined, optional + The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. + role : str, default is Undefined, optional + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + """ + + + blockInterval?: float + + interval?: float + + name?: str + + namespace?: str + + path?: str + + rate?: float + + role?: str + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + blockInterval : float, default is Undefined, optional + If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. + interval : float, default is Undefined, optional + The duration in seconds to enforce rate limiting for. The duration in seconds to enforce rate limiting for. + name : str, default is Undefined, optional + Name of the rate limit quota The name of the quota. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. Updating this field on an existing quota can have "moving" effects. For example, updating auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to a namespace specific mount quota. Note, namespaces are supported in Enterprise only. Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. + rate : float, default is Undefined, optional + The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. + role : str, default is Undefined, optional + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + """ + + + blockInterval?: float + + interval?: float + + name?: str + + namespace?: str + + path?: str + + rate?: float + + role?: str + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderConfigRefPolicy + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderRefPolicy + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToConfigRef + + metadata?: QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToMetadata + + name: str + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToConfigRefPolicy + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema QuotaVaultUpboundIoV1alpha1RateLimitSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema QuotaVaultUpboundIoV1alpha1RateLimitStatus: + r""" + RateLimitStatus defines the observed state of RateLimit. + + Attributes + ---------- + atProvider : QuotaVaultUpboundIoV1alpha1RateLimitStatusAtProvider, default is Undefined, optional + at provider + conditions : [QuotaVaultUpboundIoV1alpha1RateLimitStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: QuotaVaultUpboundIoV1alpha1RateLimitStatusAtProvider + + conditions?: [QuotaVaultUpboundIoV1alpha1RateLimitStatusConditionsItems0] + + +schema QuotaVaultUpboundIoV1alpha1RateLimitStatusAtProvider: + r""" + quota vault upbound io v1alpha1 rate limit status at provider + + Attributes + ---------- + blockInterval : float, default is Undefined, optional + If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' in seconds has elapsed. + id : str, default is Undefined, optional + id + interval : float, default is Undefined, optional + The duration in seconds to enforce rate limiting for. The duration in seconds to enforce rate limiting for. + name : str, default is Undefined, optional + Name of the rate limit quota The name of the quota. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. Updating this field on an existing quota can have "moving" effects. For example, updating auth/userpass to namespace1/auth/userpass moves this quota from being a global mount quota to a namespace specific mount quota. Note, namespaces are supported in Enterprise only. Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. + rate : float, default is Undefined, optional + The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. The maximum number of requests at any given second to be allowed by the quota rule. The rate must be positive. + role : str, default is Undefined, optional + If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. If set on a quota where path is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role. + """ + + + blockInterval?: float + + id?: str + + interval?: float + + name?: str + + namespace?: str + + path?: str + + rate?: float + + role?: str + + +schema QuotaVaultUpboundIoV1alpha1RateLimitStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/rabbitmq/v1alpha1/rabbitmq_vault_upbound_io_v1alpha1_secret_backend.k b/crossplane-provider-vault/rabbitmq/v1alpha1/rabbitmq_vault_upbound_io_v1alpha1_secret_backend.k new file mode 100644 index 00000000..5c63ef5d --- /dev/null +++ b/crossplane-provider-vault/rabbitmq/v1alpha1/rabbitmq_vault_upbound_io_v1alpha1_secret_backend.k @@ -0,0 +1,503 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackend: + r""" + SecretBackend is the Schema for the SecretBackends API. Creates an RabbitMQ secret backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "rabbitmq.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpec, default is Undefined, required + spec + status : RabbitmqVaultUpboundIoV1alpha1SecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "rabbitmq.vault.upbound.io/v1alpha1" = "rabbitmq.vault.upbound.io/v1alpha1" + + kind: "SecretBackend" = "SecretBackend" + + metadata?: v1.ObjectMeta + + spec: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpec + + status?: RabbitmqVaultUpboundIoV1alpha1SecretBackendStatus + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpec: + r""" + SecretBackendSpec defines the desired state of SecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProvider + + initProvider?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef + + providerRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderRef + + publishConnectionDetailsTo?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProvider: + r""" + rabbitmq vault upbound io v1alpha1 secret backend spec for provider + + Attributes + ---------- + connectionUri : str, default is Undefined, optional + Specifies the RabbitMQ connection URI. Specifies the RabbitMQ connection URI. + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + passwordPolicy : str, default is Undefined, optional + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. + passwordSecretRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProviderPasswordSecretRef, default is Undefined, optional + password secret ref + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to rabbitmq. The path of the RabbitMQ Secret Backend where the connection should be configured + usernameSecretRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProviderUsernameSecretRef, default is Undefined, optional + username secret ref + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Specifies whether to verify connection URI, username, and password. Defaults to true. Specifies whether to verify connection URI, username, and password. + """ + + + connectionUri?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + passwordPolicy?: str + + passwordSecretRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProviderPasswordSecretRef + + path?: str + + usernameSecretRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProviderUsernameSecretRef + + usernameTemplate?: str + + verifyConnection?: bool + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProviderPasswordSecretRef: + r""" + Specifies the RabbitMQ management administrator password. Specifies the RabbitMQ management administrator password + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecForProviderUsernameSecretRef: + r""" + Specifies the RabbitMQ management administrator username. Specifies the RabbitMQ management administrator username + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + connectionUri : str, default is Undefined, optional + Specifies the RabbitMQ connection URI. Specifies the RabbitMQ connection URI. + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + passwordPolicy : str, default is Undefined, optional + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to rabbitmq. The path of the RabbitMQ Secret Backend where the connection should be configured + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Specifies whether to verify connection URI, username, and password. Defaults to true. Specifies whether to verify connection URI, username, and password. + """ + + + connectionUri?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + passwordPolicy?: str + + path?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendStatus: + r""" + SecretBackendStatus defines the observed state of SecretBackend. + + Attributes + ---------- + atProvider : RabbitmqVaultUpboundIoV1alpha1SecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [RabbitmqVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: RabbitmqVaultUpboundIoV1alpha1SecretBackendStatusAtProvider + + conditions?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0] + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendStatusAtProvider: + r""" + rabbitmq vault upbound io v1alpha1 secret backend status at provider + + Attributes + ---------- + connectionUri : str, default is Undefined, optional + Specifies the RabbitMQ connection URI. Specifies the RabbitMQ connection URI. + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + passwordPolicy : str, default is Undefined, optional + Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set. + path : str, default is Undefined, optional + The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to rabbitmq. The path of the RabbitMQ Secret Backend where the connection should be configured + usernameTemplate : str, default is Undefined, optional + Template describing how dynamic usernames are generated. Template describing how dynamic usernames are generated. + verifyConnection : bool, default is Undefined, optional + Specifies whether to verify connection URI, username, and password. Defaults to true. Specifies whether to verify connection URI, username, and password. + """ + + + connectionUri?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + id?: str + + maxLeaseTtlSeconds?: float + + namespace?: str + + passwordPolicy?: str + + path?: str + + usernameTemplate?: str + + verifyConnection?: bool + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/rabbitmq/v1alpha1/rabbitmq_vault_upbound_io_v1alpha1_secret_backend_role.k b/crossplane-provider-vault/rabbitmq/v1alpha1/rabbitmq_vault_upbound_io_v1alpha1_secret_backend_role.k new file mode 100644 index 00000000..2b9cc37e --- /dev/null +++ b/crossplane-provider-vault/rabbitmq/v1alpha1/rabbitmq_vault_upbound_io_v1alpha1_secret_backend_role.k @@ -0,0 +1,601 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRole: + r""" + SecretBackendRole is the Schema for the SecretBackendRoles API. Creates a role on an RabbitMQ Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "rabbitmq.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpec, default is Undefined, required + spec + status : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "rabbitmq.vault.upbound.io/v1alpha1" = "rabbitmq.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRole" = "SecretBackendRole" + + metadata?: v1.ObjectMeta + + spec: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpec + + status?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatus + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpec: + r""" + SecretBackendRoleSpec defines the desired state of SecretBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider + + initProvider?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef + + providerRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the RabbitMQ secret backend is mounted at, with no leading or trailing /s. The path of the Rabbitmq Secret Backend the role belongs to. + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + tags : str, default is Undefined, optional + Specifies a comma-separated RabbitMQ management tags. Specifies a comma-separated RabbitMQ management tags. + vhost : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostItems0], default is Undefined, optional + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. + vhostTopic : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostTopicItems0], default is Undefined, optional + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. + """ + + + backend?: str + + name?: str + + namespace?: str + + tags?: str + + vhost?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostItems0] + + vhostTopic?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostTopicItems0] + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role spec for provider vhost items0 + + Attributes + ---------- + configure : str, default is Undefined, optional + The configure permissions for this vhost. + host : str, default is Undefined, optional + The vhost to set permissions for. + read : str, default is Undefined, optional + The read permissions for this vhost. + write : str, default is Undefined, optional + The write permissions for this vhost. + """ + + + configure?: str + + host?: str + + read?: str + + write?: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostTopicItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role spec for provider vhost topic items0 + + Attributes + ---------- + host : str, default is Undefined, optional + The vhost to set permissions for. + vhost : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostTopicItems0VhostItems0], default is Undefined, optional + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. + """ + + + host?: str + + vhost?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostTopicItems0VhostItems0] + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderVhostTopicItems0VhostItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role spec for provider vhost topic items0 vhost items0 + + Attributes + ---------- + read : str, default is Undefined, optional + The read permissions for this vhost. + topic : str, default is Undefined, optional + The vhost to set permissions for. + write : str, default is Undefined, optional + The write permissions for this vhost. + """ + + + read?: str + + topic?: str + + write?: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the RabbitMQ secret backend is mounted at, with no leading or trailing /s. The path of the Rabbitmq Secret Backend the role belongs to. + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + tags : str, default is Undefined, optional + Specifies a comma-separated RabbitMQ management tags. Specifies a comma-separated RabbitMQ management tags. + vhost : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostItems0], default is Undefined, optional + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. + vhostTopic : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostTopicItems0], default is Undefined, optional + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. + """ + + + backend?: str + + name?: str + + namespace?: str + + tags?: str + + vhost?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostItems0] + + vhostTopic?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostTopicItems0] + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role spec init provider vhost items0 + + Attributes + ---------- + configure : str, default is Undefined, optional + The configure permissions for this vhost. + host : str, default is Undefined, optional + The vhost to set permissions for. + read : str, default is Undefined, optional + The read permissions for this vhost. + write : str, default is Undefined, optional + The write permissions for this vhost. + """ + + + configure?: str + + host?: str + + read?: str + + write?: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostTopicItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role spec init provider vhost topic items0 + + Attributes + ---------- + host : str, default is Undefined, optional + The vhost to set permissions for. + vhost : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostTopicItems0VhostItems0], default is Undefined, optional + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. + """ + + + host?: str + + vhost?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostTopicItems0VhostItems0] + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderVhostTopicItems0VhostItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role spec init provider vhost topic items0 vhost items0 + + Attributes + ---------- + read : str, default is Undefined, optional + The read permissions for this vhost. + topic : str, default is Undefined, optional + The vhost to set permissions for. + write : str, default is Undefined, optional + The write permissions for this vhost. + """ + + + read?: str + + topic?: str + + write?: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatus: + r""" + SecretBackendRoleStatus defines the observed state of SecretBackendRole. + + Attributes + ---------- + atProvider : RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider + + conditions?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0] + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path the RabbitMQ secret backend is mounted at, with no leading or trailing /s. The path of the Rabbitmq Secret Backend the role belongs to. + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name to identify this role within the backend. Must be unique within the backend. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + tags : str, default is Undefined, optional + Specifies a comma-separated RabbitMQ management tags. Specifies a comma-separated RabbitMQ management tags. + vhost : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostItems0], default is Undefined, optional + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. + vhostTopic : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostTopicItems0], default is Undefined, optional + Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later. + """ + + + backend?: str + + id?: str + + name?: str + + namespace?: str + + tags?: str + + vhost?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostItems0] + + vhostTopic?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostTopicItems0] + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role status at provider vhost items0 + + Attributes + ---------- + configure : str, default is Undefined, optional + The configure permissions for this vhost. + host : str, default is Undefined, optional + The vhost to set permissions for. + read : str, default is Undefined, optional + The read permissions for this vhost. + write : str, default is Undefined, optional + The write permissions for this vhost. + """ + + + configure?: str + + host?: str + + read?: str + + write?: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostTopicItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role status at provider vhost topic items0 + + Attributes + ---------- + host : str, default is Undefined, optional + The vhost to set permissions for. + vhost : [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostTopicItems0VhostItems0], default is Undefined, optional + Specifies a map of virtual hosts to permissions. Specifies a map of virtual hosts to permissions. + """ + + + host?: str + + vhost?: [RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostTopicItems0VhostItems0] + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderVhostTopicItems0VhostItems0: + r""" + rabbitmq vault upbound io v1alpha1 secret backend role status at provider vhost topic items0 vhost items0 + + Attributes + ---------- + read : str, default is Undefined, optional + The read permissions for this vhost. + topic : str, default is Undefined, optional + The vhost to set permissions for. + write : str, default is Undefined, optional + The write permissions for this vhost. + """ + + + read?: str + + topic?: str + + write?: str + + +schema RabbitmqVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/raft/v1alpha1/raft_vault_upbound_io_v1alpha1_autopilot.k b/crossplane-provider-vault/raft/v1alpha1/raft_vault_upbound_io_v1alpha1_autopilot.k new file mode 100644 index 00000000..55321531 --- /dev/null +++ b/crossplane-provider-vault/raft/v1alpha1/raft_vault_upbound_io_v1alpha1_autopilot.k @@ -0,0 +1,427 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Autopilot: + r""" + Autopilot is the Schema for the Autopilots API. Configures Raft's Autopilot capabilities. + + Attributes + ---------- + apiVersion : str, default is "raft.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Autopilot", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : RaftVaultUpboundIoV1alpha1AutopilotSpec, default is Undefined, required + spec + status : RaftVaultUpboundIoV1alpha1AutopilotStatus, default is Undefined, optional + status + """ + + + apiVersion: "raft.vault.upbound.io/v1alpha1" = "raft.vault.upbound.io/v1alpha1" + + kind: "Autopilot" = "Autopilot" + + metadata?: v1.ObjectMeta + + spec: RaftVaultUpboundIoV1alpha1AutopilotSpec + + status?: RaftVaultUpboundIoV1alpha1AutopilotStatus + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpec: + r""" + AutopilotSpec defines the desired state of Autopilot + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : RaftVaultUpboundIoV1alpha1AutopilotSpecForProvider, default is Undefined, required + for provider + initProvider : RaftVaultUpboundIoV1alpha1AutopilotSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : RaftVaultUpboundIoV1alpha1AutopilotSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : RaftVaultUpboundIoV1alpha1AutopilotSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : RaftVaultUpboundIoV1alpha1AutopilotSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: RaftVaultUpboundIoV1alpha1AutopilotSpecForProvider + + initProvider?: RaftVaultUpboundIoV1alpha1AutopilotSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: RaftVaultUpboundIoV1alpha1AutopilotSpecProviderConfigRef + + providerRef?: RaftVaultUpboundIoV1alpha1AutopilotSpecProviderRef + + publishConnectionDetailsTo?: RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: RaftVaultUpboundIoV1alpha1AutopilotSpecWriteConnectionSecretToRef + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecForProvider: + r""" + raft vault upbound io v1alpha1 autopilot spec for provider + + Attributes + ---------- + cleanupDeadServers : bool, default is Undefined, optional + quorum is also set. Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set. + deadServerLastContactThreshold : str, default is Undefined, optional + Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. + disableUpgradeMigration : bool, default is Undefined, optional + only) Disables automatically upgrading Vault using autopilot. (Enterprise-only) + lastContactThreshold : str, default is Undefined, optional + Limit the amount of time a server can go without leader contact before being considered unhealthy. Limit the amount of time a server can go without leader contact before being considered unhealthy. + maxTrailingLogs : float, default is Undefined, optional + Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. + minQuorum : float, default is Undefined, optional + Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + serverStabilizationTime : str, default is Undefined, optional + Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. + """ + + + cleanupDeadServers?: bool + + deadServerLastContactThreshold?: str + + disableUpgradeMigration?: bool + + lastContactThreshold?: str + + maxTrailingLogs?: float + + minQuorum?: float + + namespace?: str + + serverStabilizationTime?: str + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + cleanupDeadServers : bool, default is Undefined, optional + quorum is also set. Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set. + deadServerLastContactThreshold : str, default is Undefined, optional + Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. + disableUpgradeMigration : bool, default is Undefined, optional + only) Disables automatically upgrading Vault using autopilot. (Enterprise-only) + lastContactThreshold : str, default is Undefined, optional + Limit the amount of time a server can go without leader contact before being considered unhealthy. Limit the amount of time a server can go without leader contact before being considered unhealthy. + maxTrailingLogs : float, default is Undefined, optional + Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. + minQuorum : float, default is Undefined, optional + Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + serverStabilizationTime : str, default is Undefined, optional + Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. + """ + + + cleanupDeadServers?: bool + + deadServerLastContactThreshold?: str + + disableUpgradeMigration?: bool + + lastContactThreshold?: str + + maxTrailingLogs?: float + + minQuorum?: float + + namespace?: str + + serverStabilizationTime?: str + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RaftVaultUpboundIoV1alpha1AutopilotSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RaftVaultUpboundIoV1alpha1AutopilotSpecProviderConfigRefPolicy + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RaftVaultUpboundIoV1alpha1AutopilotSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RaftVaultUpboundIoV1alpha1AutopilotSpecProviderRefPolicy + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToConfigRef + + metadata?: RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToMetadata + + name: str + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToConfigRefPolicy + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema RaftVaultUpboundIoV1alpha1AutopilotSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema RaftVaultUpboundIoV1alpha1AutopilotStatus: + r""" + AutopilotStatus defines the observed state of Autopilot. + + Attributes + ---------- + atProvider : RaftVaultUpboundIoV1alpha1AutopilotStatusAtProvider, default is Undefined, optional + at provider + conditions : [RaftVaultUpboundIoV1alpha1AutopilotStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: RaftVaultUpboundIoV1alpha1AutopilotStatusAtProvider + + conditions?: [RaftVaultUpboundIoV1alpha1AutopilotStatusConditionsItems0] + + +schema RaftVaultUpboundIoV1alpha1AutopilotStatusAtProvider: + r""" + raft vault upbound io v1alpha1 autopilot status at provider + + Attributes + ---------- + cleanupDeadServers : bool, default is Undefined, optional + quorum is also set. Specifies whether to remove dead server nodes periodically or when a new server joins. This requires that min-quorum is also set. + deadServerLastContactThreshold : str, default is Undefined, optional + Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. Limit the amount of time a server can go without leader contact before being considered failed. This only takes effect when cleanup_dead_servers is set. + disableUpgradeMigration : bool, default is Undefined, optional + only) Disables automatically upgrading Vault using autopilot. (Enterprise-only) + id : str, default is Undefined, optional + id + lastContactThreshold : str, default is Undefined, optional + Limit the amount of time a server can go without leader contact before being considered unhealthy. Limit the amount of time a server can go without leader contact before being considered unhealthy. + maxTrailingLogs : float, default is Undefined, optional + Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. Maximum number of log entries in the Raft log that a server can be behind its leader before being considered unhealthy. + minQuorum : float, default is Undefined, optional + Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. Minimum number of servers allowed in a cluster before autopilot can prune dead servers. This should at least be 3. Applicable only for voting nodes. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + serverStabilizationTime : str, default is Undefined, optional + Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. Minimum amount of time a server must be stable in the 'healthy' state before being added to the cluster. + """ + + + cleanupDeadServers?: bool + + deadServerLastContactThreshold?: str + + disableUpgradeMigration?: bool + + id?: str + + lastContactThreshold?: str + + maxTrailingLogs?: float + + minQuorum?: float + + namespace?: str + + serverStabilizationTime?: str + + +schema RaftVaultUpboundIoV1alpha1AutopilotStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/raft/v1alpha1/raft_vault_upbound_io_v1alpha1_snapshot_agent_config.k b/crossplane-provider-vault/raft/v1alpha1/raft_vault_upbound_io_v1alpha1_snapshot_agent_config.k new file mode 100644 index 00000000..4212a29c --- /dev/null +++ b/crossplane-provider-vault/raft/v1alpha1/raft_vault_upbound_io_v1alpha1_snapshot_agent_config.k @@ -0,0 +1,667 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SnapshotAgentConfig: + r""" + SnapshotAgentConfig is the Schema for the SnapshotAgentConfigs API. Creates a Raft Snapshot Agent Configuration for Vault. + + Attributes + ---------- + apiVersion : str, default is "raft.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SnapshotAgentConfig", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpec, default is Undefined, required + spec + status : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatus, default is Undefined, optional + status + """ + + + apiVersion: "raft.vault.upbound.io/v1alpha1" = "raft.vault.upbound.io/v1alpha1" + + kind: "SnapshotAgentConfig" = "SnapshotAgentConfig" + + metadata?: v1.ObjectMeta + + spec: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpec + + status?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatus + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpec: + r""" + SnapshotAgentConfigSpec defines the desired state of SnapshotAgentConfig + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecForProvider, default is Undefined, required + for provider + initProvider : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecForProvider + + initProvider?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderConfigRef + + providerRef?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderRef + + publishConnectionDetailsTo?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecWriteConnectionSecretToRef + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecForProvider: + r""" + raft vault upbound io v1alpha1 snapshot agent config spec for provider + + Attributes + ---------- + awsAccessKeyId : str, default is Undefined, optional + AWS access key ID. AWS access key ID. + awsS3Bucket : str, default is Undefined, optional + S3 bucket to write snapshots to. S3 bucket to write snapshots to. + awsS3DisableTls : bool, default is Undefined, optional + Disable TLS for the S3 endpoint. This should only be used for testing purposes, typically in conjunction with aws_s3_endpoint. Disable TLS for the S3 endpoint. This should only be used for testing purposes. + awsS3EnableKms : bool, default is Undefined, optional + Use KMS to encrypt bucket contents. Use KMS to encrypt bucket contents. + awsS3Endpoint : str, default is Undefined, optional + AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. + awsS3ForcePathStyle : bool, default is Undefined, optional + Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting aws_s3_endpoint. Use the endpoint/bucket URL style instead of bucket.endpoint. + awsS3KmsKey : str, default is Undefined, optional + Use named KMS key, when aws_s3_enable_kms = true Use named KMS key, when aws_s3_enable_kms=true + awsS3Region : str, default is Undefined, optional + AWS region bucket is in. AWS region bucket is in. + awsS3ServerSideEncryption : bool, default is Undefined, optional + Use AES256 to encrypt bucket contents. Use AES256 to encrypt bucket contents. + awsSecretAccessKey : str, default is Undefined, optional + AWS secret access key. AWS secret access key. + awsSessionToken : str, default is Undefined, optional + AWS session token. AWS session token. + azureAccountKey : str, default is Undefined, optional + Azure account key. Azure account key. + azureAccountName : str, default is Undefined, optional + Azure account name. Azure account name. + azureBlobEnvironment : str, default is Undefined, optional + Azure blob environment. Azure blob environment. + azureContainerName : str, default is Undefined, optional + Azure container name to write snapshots to. Azure container name to write snapshots to. + azureEndpoint : str, default is Undefined, optional + Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. + filePrefix : str, default is Undefined, optional + Within the directory or bucket prefix given by path_prefix, the file or object name of snapshot files will start with this string. The file or object name of snapshot files will start with this string. + googleDisableTls : bool, default is Undefined, optional + Disable TLS for the GCS endpoint. This should only be used for testing purposes, typically in conjunction with google_endpoint. Disable TLS for the GCS endpoint. + googleEndpoint : str, default is Undefined, optional + GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. + googleGcsBucket : str, default is Undefined, optional + GCS bucket to write snapshots to. GCS bucket to write snapshots to. + googleServiceAccountKey : str, default is Undefined, optional + Google service account key in JSON format. The raw value looks like this: Google service account key in JSON format. + intervalSeconds : float, default is Undefined, optional + Time (in seconds) between snapshots. Number of seconds between snapshots. + localMaxSpace : float, default is Undefined, optional + For storage_type = local, the maximum space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough space left in this allowance. The maximum space, in bytes, to use for snapshots. + name : str, default is Undefined, optional + – Name of the configuration to modify. Name of the snapshot agent configuration. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pathPrefix : str, default is Undefined, optional + For storage_type = "local", the directory to write the snapshots in. For cloud storage types, the bucket prefix to use. Types azure-s3 and google-gcs require a trailing / (slash). Types local and aws-s3 the trailing / is optional. The directory or bucket prefix to to use. + retain : float, default is Undefined, optional + How many snapshots are to be kept; when writing a snapshot, if there are more snapshots already stored than this number, the oldest ones will be deleted. How many snapshots are to be kept. + storageType : str, default is Undefined, optional + One of "local", "azure-blob", "aws-s3", or "google-gcs". The remaining parameters described below are all specific to the selected storage_type and prefixed accordingly. What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs". + """ + + + awsAccessKeyId?: str + + awsS3Bucket?: str + + awsS3DisableTls?: bool + + awsS3EnableKms?: bool + + awsS3Endpoint?: str + + awsS3ForcePathStyle?: bool + + awsS3KmsKey?: str + + awsS3Region?: str + + awsS3ServerSideEncryption?: bool + + awsSecretAccessKey?: str + + awsSessionToken?: str + + azureAccountKey?: str + + azureAccountName?: str + + azureBlobEnvironment?: str + + azureContainerName?: str + + azureEndpoint?: str + + filePrefix?: str + + googleDisableTls?: bool + + googleEndpoint?: str + + googleGcsBucket?: str + + googleServiceAccountKey?: str + + intervalSeconds?: float + + localMaxSpace?: float + + name?: str + + namespace?: str + + pathPrefix?: str + + retain?: float + + storageType?: str + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + awsAccessKeyId : str, default is Undefined, optional + AWS access key ID. AWS access key ID. + awsS3Bucket : str, default is Undefined, optional + S3 bucket to write snapshots to. S3 bucket to write snapshots to. + awsS3DisableTls : bool, default is Undefined, optional + Disable TLS for the S3 endpoint. This should only be used for testing purposes, typically in conjunction with aws_s3_endpoint. Disable TLS for the S3 endpoint. This should only be used for testing purposes. + awsS3EnableKms : bool, default is Undefined, optional + Use KMS to encrypt bucket contents. Use KMS to encrypt bucket contents. + awsS3Endpoint : str, default is Undefined, optional + AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. + awsS3ForcePathStyle : bool, default is Undefined, optional + Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting aws_s3_endpoint. Use the endpoint/bucket URL style instead of bucket.endpoint. + awsS3KmsKey : str, default is Undefined, optional + Use named KMS key, when aws_s3_enable_kms = true Use named KMS key, when aws_s3_enable_kms=true + awsS3Region : str, default is Undefined, optional + AWS region bucket is in. AWS region bucket is in. + awsS3ServerSideEncryption : bool, default is Undefined, optional + Use AES256 to encrypt bucket contents. Use AES256 to encrypt bucket contents. + awsSecretAccessKey : str, default is Undefined, optional + AWS secret access key. AWS secret access key. + awsSessionToken : str, default is Undefined, optional + AWS session token. AWS session token. + azureAccountKey : str, default is Undefined, optional + Azure account key. Azure account key. + azureAccountName : str, default is Undefined, optional + Azure account name. Azure account name. + azureBlobEnvironment : str, default is Undefined, optional + Azure blob environment. Azure blob environment. + azureContainerName : str, default is Undefined, optional + Azure container name to write snapshots to. Azure container name to write snapshots to. + azureEndpoint : str, default is Undefined, optional + Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. + filePrefix : str, default is Undefined, optional + Within the directory or bucket prefix given by path_prefix, the file or object name of snapshot files will start with this string. The file or object name of snapshot files will start with this string. + googleDisableTls : bool, default is Undefined, optional + Disable TLS for the GCS endpoint. This should only be used for testing purposes, typically in conjunction with google_endpoint. Disable TLS for the GCS endpoint. + googleEndpoint : str, default is Undefined, optional + GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. + googleGcsBucket : str, default is Undefined, optional + GCS bucket to write snapshots to. GCS bucket to write snapshots to. + googleServiceAccountKey : str, default is Undefined, optional + Google service account key in JSON format. The raw value looks like this: Google service account key in JSON format. + intervalSeconds : float, default is Undefined, optional + Time (in seconds) between snapshots. Number of seconds between snapshots. + localMaxSpace : float, default is Undefined, optional + For storage_type = local, the maximum space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough space left in this allowance. The maximum space, in bytes, to use for snapshots. + name : str, default is Undefined, optional + – Name of the configuration to modify. Name of the snapshot agent configuration. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pathPrefix : str, default is Undefined, optional + For storage_type = "local", the directory to write the snapshots in. For cloud storage types, the bucket prefix to use. Types azure-s3 and google-gcs require a trailing / (slash). Types local and aws-s3 the trailing / is optional. The directory or bucket prefix to to use. + retain : float, default is Undefined, optional + How many snapshots are to be kept; when writing a snapshot, if there are more snapshots already stored than this number, the oldest ones will be deleted. How many snapshots are to be kept. + storageType : str, default is Undefined, optional + One of "local", "azure-blob", "aws-s3", or "google-gcs". The remaining parameters described below are all specific to the selected storage_type and prefixed accordingly. What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs". + """ + + + awsAccessKeyId?: str + + awsS3Bucket?: str + + awsS3DisableTls?: bool + + awsS3EnableKms?: bool + + awsS3Endpoint?: str + + awsS3ForcePathStyle?: bool + + awsS3KmsKey?: str + + awsS3Region?: str + + awsS3ServerSideEncryption?: bool + + awsSecretAccessKey?: str + + awsSessionToken?: str + + azureAccountKey?: str + + azureAccountName?: str + + azureBlobEnvironment?: str + + azureContainerName?: str + + azureEndpoint?: str + + filePrefix?: str + + googleDisableTls?: bool + + googleEndpoint?: str + + googleGcsBucket?: str + + googleServiceAccountKey?: str + + intervalSeconds?: float + + localMaxSpace?: float + + name?: str + + namespace?: str + + pathPrefix?: str + + retain?: float + + storageType?: str + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderConfigRefPolicy + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderRefPolicy + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToConfigRef + + metadata?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToMetadata + + name: str + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToConfigRefPolicy + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatus: + r""" + SnapshotAgentConfigStatus defines the observed state of SnapshotAgentConfig. + + Attributes + ---------- + atProvider : RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatusAtProvider, default is Undefined, optional + at provider + conditions : [RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatusAtProvider + + conditions?: [RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatusConditionsItems0] + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatusAtProvider: + r""" + raft vault upbound io v1alpha1 snapshot agent config status at provider + + Attributes + ---------- + awsAccessKeyId : str, default is Undefined, optional + AWS access key ID. AWS access key ID. + awsS3Bucket : str, default is Undefined, optional + S3 bucket to write snapshots to. S3 bucket to write snapshots to. + awsS3DisableTls : bool, default is Undefined, optional + Disable TLS for the S3 endpoint. This should only be used for testing purposes, typically in conjunction with aws_s3_endpoint. Disable TLS for the S3 endpoint. This should only be used for testing purposes. + awsS3EnableKms : bool, default is Undefined, optional + Use KMS to encrypt bucket contents. Use KMS to encrypt bucket contents. + awsS3Endpoint : str, default is Undefined, optional + AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio. + awsS3ForcePathStyle : bool, default is Undefined, optional + Use the endpoint/bucket URL style instead of bucket.endpoint. May be needed when setting aws_s3_endpoint. Use the endpoint/bucket URL style instead of bucket.endpoint. + awsS3KmsKey : str, default is Undefined, optional + Use named KMS key, when aws_s3_enable_kms = true Use named KMS key, when aws_s3_enable_kms=true + awsS3Region : str, default is Undefined, optional + AWS region bucket is in. AWS region bucket is in. + awsS3ServerSideEncryption : bool, default is Undefined, optional + Use AES256 to encrypt bucket contents. Use AES256 to encrypt bucket contents. + awsSecretAccessKey : str, default is Undefined, optional + AWS secret access key. AWS secret access key. + awsSessionToken : str, default is Undefined, optional + AWS session token. AWS session token. + azureAccountKey : str, default is Undefined, optional + Azure account key. Azure account key. + azureAccountName : str, default is Undefined, optional + Azure account name. Azure account name. + azureBlobEnvironment : str, default is Undefined, optional + Azure blob environment. Azure blob environment. + azureContainerName : str, default is Undefined, optional + Azure container name to write snapshots to. Azure container name to write snapshots to. + azureEndpoint : str, default is Undefined, optional + Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite. + filePrefix : str, default is Undefined, optional + Within the directory or bucket prefix given by path_prefix, the file or object name of snapshot files will start with this string. The file or object name of snapshot files will start with this string. + googleDisableTls : bool, default is Undefined, optional + Disable TLS for the GCS endpoint. This should only be used for testing purposes, typically in conjunction with google_endpoint. Disable TLS for the GCS endpoint. + googleEndpoint : str, default is Undefined, optional + GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server. + googleGcsBucket : str, default is Undefined, optional + GCS bucket to write snapshots to. GCS bucket to write snapshots to. + googleServiceAccountKey : str, default is Undefined, optional + Google service account key in JSON format. The raw value looks like this: Google service account key in JSON format. + id : str, default is Undefined, optional + id + intervalSeconds : float, default is Undefined, optional + Time (in seconds) between snapshots. Number of seconds between snapshots. + localMaxSpace : float, default is Undefined, optional + For storage_type = local, the maximum space, in bytes, to use for snapshots. Snapshot attempts will fail if there is not enough space left in this allowance. The maximum space, in bytes, to use for snapshots. + name : str, default is Undefined, optional + – Name of the configuration to modify. Name of the snapshot agent configuration. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + pathPrefix : str, default is Undefined, optional + For storage_type = "local", the directory to write the snapshots in. For cloud storage types, the bucket prefix to use. Types azure-s3 and google-gcs require a trailing / (slash). Types local and aws-s3 the trailing / is optional. The directory or bucket prefix to to use. + retain : float, default is Undefined, optional + How many snapshots are to be kept; when writing a snapshot, if there are more snapshots already stored than this number, the oldest ones will be deleted. How many snapshots are to be kept. + storageType : str, default is Undefined, optional + One of "local", "azure-blob", "aws-s3", or "google-gcs". The remaining parameters described below are all specific to the selected storage_type and prefixed accordingly. What storage service to send snapshots to. One of "local", "azure-blob", "aws-s3", or "google-gcs". + """ + + + awsAccessKeyId?: str + + awsS3Bucket?: str + + awsS3DisableTls?: bool + + awsS3EnableKms?: bool + + awsS3Endpoint?: str + + awsS3ForcePathStyle?: bool + + awsS3KmsKey?: str + + awsS3Region?: str + + awsS3ServerSideEncryption?: bool + + awsSecretAccessKey?: str + + awsSessionToken?: str + + azureAccountKey?: str + + azureAccountName?: str + + azureBlobEnvironment?: str + + azureContainerName?: str + + azureEndpoint?: str + + filePrefix?: str + + googleDisableTls?: bool + + googleEndpoint?: str + + googleGcsBucket?: str + + googleServiceAccountKey?: str + + id?: str + + intervalSeconds?: float + + localMaxSpace?: float + + name?: str + + namespace?: str + + pathPrefix?: str + + retain?: float + + storageType?: str + + +schema RaftVaultUpboundIoV1alpha1SnapshotAgentConfigStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/rgp/v1alpha1/rgp_vault_upbound_io_v1alpha1_policy.k b/crossplane-provider-vault/rgp/v1alpha1/rgp_vault_upbound_io_v1alpha1_policy.k new file mode 100644 index 00000000..ac0f5e5c --- /dev/null +++ b/crossplane-provider-vault/rgp/v1alpha1/rgp_vault_upbound_io_v1alpha1_policy.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Policy: + r""" + Policy is the Schema for the Policys API. Writes Sentinel role governing policies for Vault + + Attributes + ---------- + apiVersion : str, default is "rgp.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Policy", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : RgpVaultUpboundIoV1alpha1PolicySpec, default is Undefined, required + spec + status : RgpVaultUpboundIoV1alpha1PolicyStatus, default is Undefined, optional + status + """ + + + apiVersion: "rgp.vault.upbound.io/v1alpha1" = "rgp.vault.upbound.io/v1alpha1" + + kind: "Policy" = "Policy" + + metadata?: v1.ObjectMeta + + spec: RgpVaultUpboundIoV1alpha1PolicySpec + + status?: RgpVaultUpboundIoV1alpha1PolicyStatus + + +schema RgpVaultUpboundIoV1alpha1PolicySpec: + r""" + PolicySpec defines the desired state of Policy + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : RgpVaultUpboundIoV1alpha1PolicySpecForProvider, default is Undefined, required + for provider + initProvider : RgpVaultUpboundIoV1alpha1PolicySpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : RgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : RgpVaultUpboundIoV1alpha1PolicySpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : RgpVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: RgpVaultUpboundIoV1alpha1PolicySpecForProvider + + initProvider?: RgpVaultUpboundIoV1alpha1PolicySpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: RgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRef + + providerRef?: RgpVaultUpboundIoV1alpha1PolicySpecProviderRef + + publishConnectionDetailsTo?: RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: RgpVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef + + +schema RgpVaultUpboundIoV1alpha1PolicySpecForProvider: + r""" + rgp vault upbound io v1alpha1 policy spec for provider + + Attributes + ---------- + enforcementLevel : str, default is Undefined, optional + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a Sentinel policy The policy document + """ + + + enforcementLevel?: str + + name?: str + + namespace?: str + + policy?: str + + +schema RgpVaultUpboundIoV1alpha1PolicySpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + enforcementLevel : str, default is Undefined, optional + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a Sentinel policy The policy document + """ + + + enforcementLevel?: str + + name?: str + + namespace?: str + + policy?: str + + +schema RgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy + + +schema RgpVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RgpVaultUpboundIoV1alpha1PolicySpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RgpVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RgpVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy + + +schema RgpVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef + + metadata?: RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata + + name: str + + +schema RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy + + +schema RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema RgpVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema RgpVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema RgpVaultUpboundIoV1alpha1PolicyStatus: + r""" + PolicyStatus defines the observed state of Policy. + + Attributes + ---------- + atProvider : RgpVaultUpboundIoV1alpha1PolicyStatusAtProvider, default is Undefined, optional + at provider + conditions : [RgpVaultUpboundIoV1alpha1PolicyStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: RgpVaultUpboundIoV1alpha1PolicyStatusAtProvider + + conditions?: [RgpVaultUpboundIoV1alpha1PolicyStatusConditionsItems0] + + +schema RgpVaultUpboundIoV1alpha1PolicyStatusAtProvider: + r""" + rgp vault upbound io v1alpha1 policy status at provider + + Attributes + ---------- + enforcementLevel : str, default is Undefined, optional + Enforcement level of Sentinel policy. Can be either advisory or soft-mandatory or hard-mandatory Enforcement level of Sentinel policy. Can be one of: 'advisory', 'soft-mandatory' or 'hard-mandatory' + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a Sentinel policy The policy document + """ + + + enforcementLevel?: str + + id?: str + + name?: str + + namespace?: str + + policy?: str + + +schema RgpVaultUpboundIoV1alpha1PolicyStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/ssh/v1alpha1/ssh_vault_upbound_io_v1alpha1_secret_backend_c_a.k b/crossplane-provider-vault/ssh/v1alpha1/ssh_vault_upbound_io_v1alpha1_secret_backend_c_a.k new file mode 100644 index 00000000..0c20429b --- /dev/null +++ b/crossplane-provider-vault/ssh/v1alpha1/ssh_vault_upbound_io_v1alpha1_secret_backend_c_a.k @@ -0,0 +1,405 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendCA: + r""" + SecretBackendCA is the Schema for the SecretBackendCAs API. Managing CA information in an SSH secret backend in Vault + + Attributes + ---------- + apiVersion : str, default is "ssh.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendCA", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : SSHVaultUpboundIoV1alpha1SecretBackendCASpec, default is Undefined, required + spec + status : SSHVaultUpboundIoV1alpha1SecretBackendCAStatus, default is Undefined, optional + status + """ + + + apiVersion: "ssh.vault.upbound.io/v1alpha1" = "ssh.vault.upbound.io/v1alpha1" + + kind: "SecretBackendCA" = "SecretBackendCA" + + metadata?: v1.ObjectMeta + + spec: SSHVaultUpboundIoV1alpha1SecretBackendCASpec + + status?: SSHVaultUpboundIoV1alpha1SecretBackendCAStatus + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpec: + r""" + SecretBackendCASpec defines the desired state of SecretBackendCA + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : SSHVaultUpboundIoV1alpha1SecretBackendCASpecForProvider, default is Undefined, required + for provider + initProvider : SSHVaultUpboundIoV1alpha1SecretBackendCASpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : SSHVaultUpboundIoV1alpha1SecretBackendCASpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: SSHVaultUpboundIoV1alpha1SecretBackendCASpecForProvider + + initProvider?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderConfigRef + + providerRef?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderRef + + publishConnectionDetailsTo?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecWriteConnectionSecretToRef + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecForProvider: + r""" + SSH vault upbound io v1alpha1 secret backend c a spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path where the SSH secret backend is mounted. Defaults to 'ssh' The path of the SSH Secret Backend where the CA should be configured + generateSigningKey : bool, default is Undefined, optional + Whether Vault should generate the signing key pair internally. Defaults to true Whether Vault should generate the signing key pair internally. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + privateKeySecretRef : SSHVaultUpboundIoV1alpha1SecretBackendCASpecForProviderPrivateKeySecretRef, default is Undefined, optional + private key secret ref + publicKey : str, default is Undefined, optional + The public key part the SSH CA key pair; required if generate_signing_key is false. Public key part the SSH CA key pair; required if generate_signing_key is false. + """ + + + backend?: str + + generateSigningKey?: bool + + namespace?: str + + privateKeySecretRef?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecForProviderPrivateKeySecretRef + + publicKey?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecForProviderPrivateKeySecretRef: + r""" + The private key part the SSH CA key pair; required if generate_signing_key is false. Private key part the SSH CA key pair; required if generate_signing_key is false. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + The path where the SSH secret backend is mounted. Defaults to 'ssh' The path of the SSH Secret Backend where the CA should be configured + generateSigningKey : bool, default is Undefined, optional + Whether Vault should generate the signing key pair internally. Defaults to true Whether Vault should generate the signing key pair internally. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + publicKey : str, default is Undefined, optional + The public key part the SSH CA key pair; required if generate_signing_key is false. Public key part the SSH CA key pair; required if generate_signing_key is false. + """ + + + backend?: str + + generateSigningKey?: bool + + namespace?: str + + publicKey?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderConfigRefPolicy + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderRefPolicy + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToConfigRef + + metadata?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToMetadata + + name: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToConfigRefPolicy + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCASpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCAStatus: + r""" + SecretBackendCAStatus defines the observed state of SecretBackendCA. + + Attributes + ---------- + atProvider : SSHVaultUpboundIoV1alpha1SecretBackendCAStatusAtProvider, default is Undefined, optional + at provider + conditions : [SSHVaultUpboundIoV1alpha1SecretBackendCAStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: SSHVaultUpboundIoV1alpha1SecretBackendCAStatusAtProvider + + conditions?: [SSHVaultUpboundIoV1alpha1SecretBackendCAStatusConditionsItems0] + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCAStatusAtProvider: + r""" + SSH vault upbound io v1alpha1 secret backend c a status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + The path where the SSH secret backend is mounted. Defaults to 'ssh' The path of the SSH Secret Backend where the CA should be configured + generateSigningKey : bool, default is Undefined, optional + Whether Vault should generate the signing key pair internally. Defaults to true Whether Vault should generate the signing key pair internally. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + publicKey : str, default is Undefined, optional + The public key part the SSH CA key pair; required if generate_signing_key is false. Public key part the SSH CA key pair; required if generate_signing_key is false. + """ + + + backend?: str + + generateSigningKey?: bool + + id?: str + + namespace?: str + + publicKey?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendCAStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/ssh/v1alpha1/ssh_vault_upbound_io_v1alpha1_secret_backend_role.k b/crossplane-provider-vault/ssh/v1alpha1/ssh_vault_upbound_io_v1alpha1_secret_backend_role.k new file mode 100644 index 00000000..f4590d62 --- /dev/null +++ b/crossplane-provider-vault/ssh/v1alpha1/ssh_vault_upbound_io_v1alpha1_secret_backend_role.k @@ -0,0 +1,709 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendRole: + r""" + SecretBackendRole is the Schema for the SecretBackendRoles API. Managing roles in an SSH secret backend in Vault + + Attributes + ---------- + apiVersion : str, default is "ssh.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpec, default is Undefined, required + spec + status : SSHVaultUpboundIoV1alpha1SecretBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "ssh.vault.upbound.io/v1alpha1" = "ssh.vault.upbound.io/v1alpha1" + + kind: "SecretBackendRole" = "SecretBackendRole" + + metadata?: v1.ObjectMeta + + spec: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpec + + status?: SSHVaultUpboundIoV1alpha1SecretBackendRoleStatus + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpec: + r""" + SecretBackendRoleSpec defines the desired state of SecretBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider + + initProvider?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef + + providerRef?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecForProvider: + r""" + SSH vault upbound io v1alpha1 secret backend role spec for provider + + Attributes + ---------- + algorithmSigner : str, default is Undefined, optional + When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. + allowBareDomains : bool, default is Undefined, optional + Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains. + allowHostCertificates : bool, default is Undefined, optional + Specifies if certificates are allowed to be signed for use as a 'host'. + allowSubdomains : bool, default is Undefined, optional + Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains. + allowUserCertificates : bool, default is Undefined, optional + Specifies if certificates are allowed to be signed for use as a 'user'. + allowUserKeyIds : bool, default is Undefined, optional + Specifies if users can override the key ID for a signed certificate with the key_id field. + allowedCriticalOptions : str, default is Undefined, optional + Specifies a comma-separated list of critical options that certificates can have when signed. + allowedDomains : str, default is Undefined, optional + The list of domains for which a client can request a host certificate. + allowedDomainsTemplate : bool, default is Undefined, optional + Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted. + allowedExtensions : str, default is Undefined, optional + Specifies a comma-separated list of extensions that certificates can have when signed. + allowedUserKeyConfig : [SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAllowedUserKeyConfigItems0], default is Undefined, optional + Set of configuration blocks to define allowed user key configuration, like key type and their lengths. Can be specified multiple times. See Set of allowed public key types and their relevant configuration + allowedUserKeyLengths : {str:float}, default is Undefined, optional + Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type. Deprecated: use allowed_user_key_config instead + allowedUsers : str, default is Undefined, optional + Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. + allowedUsersTemplate : bool, default is Undefined, optional + Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted. + backend : str, default is Undefined, optional + The path where the SSH secret backend is mounted. + cidrList : str, default is Undefined, optional + The comma-separated string of CIDR blocks for which this role is applicable. + defaultCriticalOptions : {str:str}, default is Undefined, optional + Specifies a map of critical options that certificates have when signed. + defaultExtensions : {str:str}, default is Undefined, optional + Specifies a map of extensions that certificates have when signed. + defaultUser : str, default is Undefined, optional + Specifies the default username for which a credential will be generated. + defaultUserTemplate : bool, default is Undefined, optional + If set, default_users can be specified using identity template values. A non-templated user is also permitted. + keyIdFormat : str, default is Undefined, optional + Specifies a custom format for the key id of a signed certificate. + keyType : str, default is Undefined, optional + Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca. + maxTtl : str, default is Undefined, optional + Specifies the maximum Time To Live value. + name : str, default is Undefined, optional + Specifies the name of the role to create. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + notBeforeDuration : str, default is Undefined, optional + Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. + ttl : str, default is Undefined, optional + Specifies the Time To Live value. + """ + + + algorithmSigner?: str + + allowBareDomains?: bool + + allowHostCertificates?: bool + + allowSubdomains?: bool + + allowUserCertificates?: bool + + allowUserKeyIds?: bool + + allowedCriticalOptions?: str + + allowedDomains?: str + + allowedDomainsTemplate?: bool + + allowedExtensions?: str + + allowedUserKeyConfig?: [SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAllowedUserKeyConfigItems0] + + allowedUserKeyLengths?: {str:float} + + allowedUsers?: str + + allowedUsersTemplate?: bool + + backend?: str + + cidrList?: str + + defaultCriticalOptions?: {str:str} + + defaultExtensions?: {str:str} + + defaultUser?: str + + defaultUserTemplate?: bool + + keyIdFormat?: str + + keyType?: str + + maxTtl?: str + + name?: str + + namespace?: str + + notBeforeDuration?: str + + ttl?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecForProviderAllowedUserKeyConfigItems0: + r""" + SSH vault upbound io v1alpha1 secret backend role spec for provider allowed user key config items0 + + Attributes + ---------- + lengths : [float], default is Undefined, optional + A list of allowed key lengths as integers. For key types that do not support setting the length a value of [0] should be used. Setting multiple lengths is only supported on Vault 1.10+. For prior releases length must be set to a single element list. List of allowed key lengths, vault-1.10 and above + $type : str, default is Undefined, optional + The SSH public key type. Supported key types are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 + """ + + + lengths?: [float] + + $type?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + algorithmSigner : str, default is Undefined, optional + When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. + allowBareDomains : bool, default is Undefined, optional + Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains. + allowHostCertificates : bool, default is Undefined, optional + Specifies if certificates are allowed to be signed for use as a 'host'. + allowSubdomains : bool, default is Undefined, optional + Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains. + allowUserCertificates : bool, default is Undefined, optional + Specifies if certificates are allowed to be signed for use as a 'user'. + allowUserKeyIds : bool, default is Undefined, optional + Specifies if users can override the key ID for a signed certificate with the key_id field. + allowedCriticalOptions : str, default is Undefined, optional + Specifies a comma-separated list of critical options that certificates can have when signed. + allowedDomains : str, default is Undefined, optional + The list of domains for which a client can request a host certificate. + allowedDomainsTemplate : bool, default is Undefined, optional + Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted. + allowedExtensions : str, default is Undefined, optional + Specifies a comma-separated list of extensions that certificates can have when signed. + allowedUserKeyConfig : [SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAllowedUserKeyConfigItems0], default is Undefined, optional + Set of configuration blocks to define allowed user key configuration, like key type and their lengths. Can be specified multiple times. See Set of allowed public key types and their relevant configuration + allowedUserKeyLengths : {str:float}, default is Undefined, optional + Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type. Deprecated: use allowed_user_key_config instead + allowedUsers : str, default is Undefined, optional + Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. + allowedUsersTemplate : bool, default is Undefined, optional + Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted. + backend : str, default is Undefined, optional + The path where the SSH secret backend is mounted. + cidrList : str, default is Undefined, optional + The comma-separated string of CIDR blocks for which this role is applicable. + defaultCriticalOptions : {str:str}, default is Undefined, optional + Specifies a map of critical options that certificates have when signed. + defaultExtensions : {str:str}, default is Undefined, optional + Specifies a map of extensions that certificates have when signed. + defaultUser : str, default is Undefined, optional + Specifies the default username for which a credential will be generated. + defaultUserTemplate : bool, default is Undefined, optional + If set, default_users can be specified using identity template values. A non-templated user is also permitted. + keyIdFormat : str, default is Undefined, optional + Specifies a custom format for the key id of a signed certificate. + keyType : str, default is Undefined, optional + Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca. + maxTtl : str, default is Undefined, optional + Specifies the maximum Time To Live value. + name : str, default is Undefined, optional + Specifies the name of the role to create. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + notBeforeDuration : str, default is Undefined, optional + Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. + ttl : str, default is Undefined, optional + Specifies the Time To Live value. + """ + + + algorithmSigner?: str + + allowBareDomains?: bool + + allowHostCertificates?: bool + + allowSubdomains?: bool + + allowUserCertificates?: bool + + allowUserKeyIds?: bool + + allowedCriticalOptions?: str + + allowedDomains?: str + + allowedDomainsTemplate?: bool + + allowedExtensions?: str + + allowedUserKeyConfig?: [SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAllowedUserKeyConfigItems0] + + allowedUserKeyLengths?: {str:float} + + allowedUsers?: str + + allowedUsersTemplate?: bool + + backend?: str + + cidrList?: str + + defaultCriticalOptions?: {str:str} + + defaultExtensions?: {str:str} + + defaultUser?: str + + defaultUserTemplate?: bool + + keyIdFormat?: str + + keyType?: str + + maxTtl?: str + + name?: str + + namespace?: str + + notBeforeDuration?: str + + ttl?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecInitProviderAllowedUserKeyConfigItems0: + r""" + SSH vault upbound io v1alpha1 secret backend role spec init provider allowed user key config items0 + + Attributes + ---------- + lengths : [float], default is Undefined, optional + A list of allowed key lengths as integers. For key types that do not support setting the length a value of [0] should be used. Setting multiple lengths is only supported on Vault 1.10+. For prior releases length must be set to a single element list. List of allowed key lengths, vault-1.10 and above + $type : str, default is Undefined, optional + The SSH public key type. Supported key types are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 + """ + + + lengths?: [float] + + $type?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleStatus: + r""" + SecretBackendRoleStatus defines the observed state of SecretBackendRole. + + Attributes + ---------- + atProvider : SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider + + conditions?: [SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0] + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProvider: + r""" + SSH vault upbound io v1alpha1 secret backend role status at provider + + Attributes + ---------- + algorithmSigner : str, default is Undefined, optional + When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512. + allowBareDomains : bool, default is Undefined, optional + Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains. + allowHostCertificates : bool, default is Undefined, optional + Specifies if certificates are allowed to be signed for use as a 'host'. + allowSubdomains : bool, default is Undefined, optional + Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains. + allowUserCertificates : bool, default is Undefined, optional + Specifies if certificates are allowed to be signed for use as a 'user'. + allowUserKeyIds : bool, default is Undefined, optional + Specifies if users can override the key ID for a signed certificate with the key_id field. + allowedCriticalOptions : str, default is Undefined, optional + Specifies a comma-separated list of critical options that certificates can have when signed. + allowedDomains : str, default is Undefined, optional + The list of domains for which a client can request a host certificate. + allowedDomainsTemplate : bool, default is Undefined, optional + Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted. + allowedExtensions : str, default is Undefined, optional + Specifies a comma-separated list of extensions that certificates can have when signed. + allowedUserKeyConfig : [SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAllowedUserKeyConfigItems0], default is Undefined, optional + Set of configuration blocks to define allowed user key configuration, like key type and their lengths. Can be specified multiple times. See Set of allowed public key types and their relevant configuration + allowedUserKeyLengths : {str:float}, default is Undefined, optional + Specifies a map of ssh key types and their expected sizes which are allowed to be signed by the CA type. Deprecated: use allowed_user_key_config instead + allowedUsers : str, default is Undefined, optional + Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed. + allowedUsersTemplate : bool, default is Undefined, optional + Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted. + backend : str, default is Undefined, optional + The path where the SSH secret backend is mounted. + cidrList : str, default is Undefined, optional + The comma-separated string of CIDR blocks for which this role is applicable. + defaultCriticalOptions : {str:str}, default is Undefined, optional + Specifies a map of critical options that certificates have when signed. + defaultExtensions : {str:str}, default is Undefined, optional + Specifies a map of extensions that certificates have when signed. + defaultUser : str, default is Undefined, optional + Specifies the default username for which a credential will be generated. + defaultUserTemplate : bool, default is Undefined, optional + If set, default_users can be specified using identity template values. A non-templated user is also permitted. + id : str, default is Undefined, optional + id + keyIdFormat : str, default is Undefined, optional + Specifies a custom format for the key id of a signed certificate. + keyType : str, default is Undefined, optional + Specifies the type of credentials generated by this role. This can be either otp, dynamic or ca. + maxTtl : str, default is Undefined, optional + Specifies the maximum Time To Live value. + name : str, default is Undefined, optional + Specifies the name of the role to create. Unique name for the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + notBeforeDuration : str, default is Undefined, optional + Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings. + ttl : str, default is Undefined, optional + Specifies the Time To Live value. + """ + + + algorithmSigner?: str + + allowBareDomains?: bool + + allowHostCertificates?: bool + + allowSubdomains?: bool + + allowUserCertificates?: bool + + allowUserKeyIds?: bool + + allowedCriticalOptions?: str + + allowedDomains?: str + + allowedDomainsTemplate?: bool + + allowedExtensions?: str + + allowedUserKeyConfig?: [SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAllowedUserKeyConfigItems0] + + allowedUserKeyLengths?: {str:float} + + allowedUsers?: str + + allowedUsersTemplate?: bool + + backend?: str + + cidrList?: str + + defaultCriticalOptions?: {str:str} + + defaultExtensions?: {str:str} + + defaultUser?: str + + defaultUserTemplate?: bool + + id?: str + + keyIdFormat?: str + + keyType?: str + + maxTtl?: str + + name?: str + + namespace?: str + + notBeforeDuration?: str + + ttl?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusAtProviderAllowedUserKeyConfigItems0: + r""" + SSH vault upbound io v1alpha1 secret backend role status at provider allowed user key config items0 + + Attributes + ---------- + lengths : [float], default is Undefined, optional + A list of allowed key lengths as integers. For key types that do not support setting the length a value of [0] should be used. Setting multiple lengths is only supported on Vault 1.10+. For prior releases length must be set to a single element list. List of allowed key lengths, vault-1.10 and above + $type : str, default is Undefined, optional + The SSH public key type. Supported key types are: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 Key type, choices: rsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 + """ + + + lengths?: [float] + + $type?: str + + +schema SSHVaultUpboundIoV1alpha1SecretBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_backend.k b/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_backend.k new file mode 100644 index 00000000..0a05fad2 --- /dev/null +++ b/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_backend.k @@ -0,0 +1,453 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema CloudSecretBackend: + r""" + CloudSecretBackend is the Schema for the CloudSecretBackends API. + + Attributes + ---------- + apiVersion : str, default is "terraform.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "CloudSecretBackend", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpec, default is Undefined, required + spec + status : TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatus, default is Undefined, optional + status + """ + + + apiVersion: "terraform.vault.upbound.io/v1alpha1" = "terraform.vault.upbound.io/v1alpha1" + + kind: "CloudSecretBackend" = "CloudSecretBackend" + + metadata?: v1.ObjectMeta + + spec: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpec + + status?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatus + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpec: + r""" + CloudSecretBackendSpec defines the desired state of CloudSecretBackend + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecForProvider, default is Undefined, required + for provider + initProvider : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecForProvider + + initProvider?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderConfigRef + + providerRef?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderRef + + publishConnectionDetailsTo?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecWriteConnectionSecretToRef + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecForProvider: + r""" + terraform vault upbound io v1alpha1 cloud secret backend spec for provider + + Attributes + ---------- + address : str, default is Undefined, optional + 0.0.1:8500". + backend : str, default is Undefined, optional + The unique location this backend should be mounted at. Must not begin or end with a / + basePath : str, default is Undefined, optional + base path + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + tokenSecretRef : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecForProviderTokenSecretRef, default is Undefined, optional + token secret ref + """ + + + address?: str + + backend?: str + + basePath?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + tokenSecretRef?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecForProviderTokenSecretRef + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecForProviderTokenSecretRef: + r""" + A SecretKeySelector is a reference to a secret key in an arbitrary namespace. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + address : str, default is Undefined, optional + 0.0.1:8500". + backend : str, default is Undefined, optional + The unique location this backend should be mounted at. Must not begin or end with a / + basePath : str, default is Undefined, optional + base path + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + address?: str + + backend?: str + + basePath?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderConfigRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToConfigRef + + metadata?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToMetadata + + name: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToConfigRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatus: + r""" + CloudSecretBackendStatus defines the observed state of CloudSecretBackend. + + Attributes + ---------- + atProvider : TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatusAtProvider, default is Undefined, optional + at provider + conditions : [TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatusAtProvider + + conditions?: [TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatusConditionsItems0] + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatusAtProvider: + r""" + terraform vault upbound io v1alpha1 cloud secret backend status at provider + + Attributes + ---------- + address : str, default is Undefined, optional + 0.0.1:8500". + backend : str, default is Undefined, optional + The unique location this backend should be mounted at. Must not begin or end with a / + basePath : str, default is Undefined, optional + base path + defaultLeaseTtlSeconds : float, default is Undefined, optional + The default TTL for credentials issued by this backend. Default lease duration for secrets in seconds + description : str, default is Undefined, optional + A human-friendly description for this backend. Human-friendly description of the mount for the backend. + disableRemount : bool, default is Undefined, optional + If set, opts out of mount migration on path updates. See here for more info on Mount Migration If set, opts out of mount migration on path updates. + id : str, default is Undefined, optional + id + maxLeaseTtlSeconds : float, default is Undefined, optional + The maximum TTL that can be requested for credentials issued by this backend. Maximum possible lease duration for secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + """ + + + address?: str + + backend?: str + + basePath?: str + + defaultLeaseTtlSeconds?: float + + description?: str + + disableRemount?: bool + + id?: str + + maxLeaseTtlSeconds?: float + + namespace?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretBackendStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_creds.k b/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_creds.k new file mode 100644 index 00000000..bb3a787c --- /dev/null +++ b/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_creds.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema CloudSecretCreds: + r""" + CloudSecretCreds is the Schema for the CloudSecretCredss API. + + Attributes + ---------- + apiVersion : str, default is "terraform.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "CloudSecretCreds", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpec, default is Undefined, required + spec + status : TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatus, default is Undefined, optional + status + """ + + + apiVersion: "terraform.vault.upbound.io/v1alpha1" = "terraform.vault.upbound.io/v1alpha1" + + kind: "CloudSecretCreds" = "CloudSecretCreds" + + metadata?: v1.ObjectMeta + + spec: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpec + + status?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatus + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpec: + r""" + CloudSecretCredsSpec defines the desired state of CloudSecretCreds + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecForProvider, default is Undefined, required + for provider + initProvider : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecForProvider + + initProvider?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderConfigRef + + providerRef?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderRef + + publishConnectionDetailsTo?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecWriteConnectionSecretToRef + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecForProvider: + r""" + terraform vault upbound io v1alpha1 cloud secret creds spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + the path to the Upbound official provider cloud secret backend to read credentials from, with no leading or trailing /s. Upbound official provider cloud secret backend to generate tokens from + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + Name of the role. + """ + + + backend?: str + + namespace?: str + + role?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + the path to the Upbound official provider cloud secret backend to read credentials from, with no leading or trailing /s. Upbound official provider cloud secret backend to generate tokens from + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + role : str, default is Undefined, optional + Name of the role. + """ + + + backend?: str + + namespace?: str + + role?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderConfigRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToConfigRef + + metadata?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToMetadata + + name: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToConfigRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatus: + r""" + CloudSecretCredsStatus defines the observed state of CloudSecretCreds. + + Attributes + ---------- + atProvider : TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatusAtProvider, default is Undefined, optional + at provider + conditions : [TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatusAtProvider + + conditions?: [TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatusConditionsItems0] + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatusAtProvider: + r""" + terraform vault upbound io v1alpha1 cloud secret creds status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + the path to the Upbound official provider cloud secret backend to read credentials from, with no leading or trailing /s. Upbound official provider cloud secret backend to generate tokens from + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + The organization associated with the token provided + role : str, default is Undefined, optional + Name of the role. + teamId : str, default is Undefined, optional + The team id associated with the token provided.g., settings/teams/team-xxxxxxxxxxxxx) + tokenId : str, default is Undefined, optional + The public identifier for a specific token. It can be used to look up information about a token or to revoke a token + """ + + + backend?: str + + id?: str + + namespace?: str + + organization?: str + + role?: str + + teamId?: str + + tokenId?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretCredsStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_role.k b/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_role.k new file mode 100644 index 00000000..b629d64c --- /dev/null +++ b/crossplane-provider-vault/terraform/v1alpha1/terraform_vault_upbound_io_v1alpha1_cloud_secret_role.k @@ -0,0 +1,427 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema CloudSecretRole: + r""" + CloudSecretRole is the Schema for the CloudSecretRoles API. + + Attributes + ---------- + apiVersion : str, default is "terraform.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "CloudSecretRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpec, default is Undefined, required + spec + status : TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "terraform.vault.upbound.io/v1alpha1" = "terraform.vault.upbound.io/v1alpha1" + + kind: "CloudSecretRole" = "CloudSecretRole" + + metadata?: v1.ObjectMeta + + spec: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpec + + status?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatus + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpec: + r""" + CloudSecretRoleSpec defines the desired state of CloudSecretRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecForProvider, default is Undefined, required + for provider + initProvider : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecForProvider + + initProvider?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderConfigRef + + providerRef?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderRef + + publishConnectionDetailsTo?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecWriteConnectionSecretToRef + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecForProvider: + r""" + terraform vault upbound io v1alpha1 cloud secret role spec for provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Must not begin or end with a /. + maxTtl : float, default is Undefined, optional + Maximum TTL for leases associated with this role, in seconds. Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. + name : str, default is Undefined, optional + the name of the Upbound official provider cloud secrets engine role to create. the name of an existing role against which to create this Upbound official provider cloud credential + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + the organization name managing your Upbound official provider cloud instance. name of the Upbound official provider cloud or enterprise organization + teamId : str, default is Undefined, optional + g., settings/teams/team-xxxxxxxxxxxxx) + ttl : float, default is Undefined, optional + Specifies the TTL for this role. Default lease for generated credentials. If not set or set to 0, will use system default. + userId : str, default is Undefined, optional + g., user-xxxxxxxxxxxxxxxx) + """ + + + backend?: str + + maxTtl?: float + + name?: str + + namespace?: str + + organization?: str + + teamId?: str + + ttl?: float + + userId?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + backend : str, default is Undefined, optional + Must not begin or end with a /. + maxTtl : float, default is Undefined, optional + Maximum TTL for leases associated with this role, in seconds. Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. + name : str, default is Undefined, optional + the name of the Upbound official provider cloud secrets engine role to create. the name of an existing role against which to create this Upbound official provider cloud credential + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + the organization name managing your Upbound official provider cloud instance. name of the Upbound official provider cloud or enterprise organization + teamId : str, default is Undefined, optional + g., settings/teams/team-xxxxxxxxxxxxx) + ttl : float, default is Undefined, optional + Specifies the TTL for this role. Default lease for generated credentials. If not set or set to 0, will use system default. + userId : str, default is Undefined, optional + g., user-xxxxxxxxxxxxxxxx) + """ + + + backend?: str + + maxTtl?: float + + name?: str + + namespace?: str + + organization?: str + + teamId?: str + + ttl?: float + + userId?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderConfigRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatus: + r""" + CloudSecretRoleStatus defines the observed state of CloudSecretRole. + + Attributes + ---------- + atProvider : TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatusAtProvider + + conditions?: [TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatusConditionsItems0] + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatusAtProvider: + r""" + terraform vault upbound io v1alpha1 cloud secret role status at provider + + Attributes + ---------- + backend : str, default is Undefined, optional + Must not begin or end with a /. + id : str, default is Undefined, optional + id + maxTtl : float, default is Undefined, optional + Maximum TTL for leases associated with this role, in seconds. Maximum allowed lease for generated credentials. If not set or set to 0, will use system default. + name : str, default is Undefined, optional + the name of the Upbound official provider cloud secrets engine role to create. the name of an existing role against which to create this Upbound official provider cloud credential + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + organization : str, default is Undefined, optional + the organization name managing your Upbound official provider cloud instance. name of the Upbound official provider cloud or enterprise organization + teamId : str, default is Undefined, optional + g., settings/teams/team-xxxxxxxxxxxxx) + ttl : float, default is Undefined, optional + Specifies the TTL for this role. Default lease for generated credentials. If not set or set to 0, will use system default. + userId : str, default is Undefined, optional + g., user-xxxxxxxxxxxxxxxx) + """ + + + backend?: str + + id?: str + + maxTtl?: float + + name?: str + + namespace?: str + + organization?: str + + teamId?: str + + ttl?: float + + userId?: str + + +schema TerraformVaultUpboundIoV1alpha1CloudSecretRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/token/v1alpha1/token_vault_upbound_io_v1alpha1_auth_backend_role.k b/crossplane-provider-vault/token/v1alpha1/token_vault_upbound_io_v1alpha1_auth_backend_role.k new file mode 100644 index 00000000..397d5eeb --- /dev/null +++ b/crossplane-provider-vault/token/v1alpha1/token_vault_upbound_io_v1alpha1_auth_backend_role.k @@ -0,0 +1,559 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema AuthBackendRole: + r""" + AuthBackendRole is the Schema for the AuthBackendRoles API. Manages Token auth backend roles in Vault. + + Attributes + ---------- + apiVersion : str, default is "token.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "AuthBackendRole", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpec, default is Undefined, required + spec + status : TokenVaultUpboundIoV1alpha1AuthBackendRoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "token.vault.upbound.io/v1alpha1" = "token.vault.upbound.io/v1alpha1" + + kind: "AuthBackendRole" = "AuthBackendRole" + + metadata?: v1.ObjectMeta + + spec: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpec + + status?: TokenVaultUpboundIoV1alpha1AuthBackendRoleStatus + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpec: + r""" + AuthBackendRoleSpec defines the desired state of AuthBackendRole + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider, default is Undefined, required + for provider + initProvider : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider + + initProvider?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef + + providerRef?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef + + publishConnectionDetailsTo?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecForProvider: + r""" + token vault upbound io v1alpha1 auth backend role spec for provider + + Attributes + ---------- + allowedEntityAliases : [str], default is Undefined, optional + List of allowed entity aliases. Set of allowed entity aliases for this role. + allowedPolicies : [str], default is Undefined, optional + List of allowed policies for given role. List of allowed policies for given role. + allowedPoliciesGlob : [str], default is Undefined, optional + Set of allowed policies with glob match for given role. Set of allowed policies with glob match for given role. + disallowedPolicies : [str], default is Undefined, optional + List of disallowed policies for given role. List of disallowed policies for given role. + disallowedPoliciesGlob : [str], default is Undefined, optional + Set of disallowed policies with glob match for given role. Set of disallowed policies with glob match for given role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + orphan : bool, default is Undefined, optional + If true, tokens created against this policy will be orphan tokens. If true, tokens created against this policy will be orphan tokens. + pathSuffix : str, default is Undefined, optional + Tokens created against this role will have the given suffix as part of their path in addition to the role name. Tokens created against this role will have the given suffix as part of their path in addition to the role name. + renewable : bool, default is Undefined, optional + Whether to disable the ability of the token to be renewed past its initial TTL. Whether to disable the ability of the token to be renewed past its initial TTL. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + allowedEntityAliases?: [str] + + allowedPolicies?: [str] + + allowedPoliciesGlob?: [str] + + disallowedPolicies?: [str] + + disallowedPoliciesGlob?: [str] + + namespace?: str + + orphan?: bool + + pathSuffix?: str + + renewable?: bool + + roleName?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedEntityAliases : [str], default is Undefined, optional + List of allowed entity aliases. Set of allowed entity aliases for this role. + allowedPolicies : [str], default is Undefined, optional + List of allowed policies for given role. List of allowed policies for given role. + allowedPoliciesGlob : [str], default is Undefined, optional + Set of allowed policies with glob match for given role. Set of allowed policies with glob match for given role. + disallowedPolicies : [str], default is Undefined, optional + List of disallowed policies for given role. List of disallowed policies for given role. + disallowedPoliciesGlob : [str], default is Undefined, optional + Set of disallowed policies with glob match for given role. Set of disallowed policies with glob match for given role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + orphan : bool, default is Undefined, optional + If true, tokens created against this policy will be orphan tokens. If true, tokens created against this policy will be orphan tokens. + pathSuffix : str, default is Undefined, optional + Tokens created against this role will have the given suffix as part of their path in addition to the role name. Tokens created against this role will have the given suffix as part of their path in addition to the role name. + renewable : bool, default is Undefined, optional + Whether to disable the ability of the token to be renewed past its initial TTL. Whether to disable the ability of the token to be renewed past its initial TTL. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + allowedEntityAliases?: [str] + + allowedPolicies?: [str] + + allowedPoliciesGlob?: [str] + + disallowedPolicies?: [str] + + disallowedPoliciesGlob?: [str] + + namespace?: str + + orphan?: bool + + pathSuffix?: str + + renewable?: bool + + roleName?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef + + metadata?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleStatus: + r""" + AuthBackendRoleStatus defines the observed state of AuthBackendRole. + + Attributes + ---------- + atProvider : TokenVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [TokenVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TokenVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider + + conditions?: [TokenVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0] + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleStatusAtProvider: + r""" + token vault upbound io v1alpha1 auth backend role status at provider + + Attributes + ---------- + allowedEntityAliases : [str], default is Undefined, optional + List of allowed entity aliases. Set of allowed entity aliases for this role. + allowedPolicies : [str], default is Undefined, optional + List of allowed policies for given role. List of allowed policies for given role. + allowedPoliciesGlob : [str], default is Undefined, optional + Set of allowed policies with glob match for given role. Set of allowed policies with glob match for given role. + disallowedPolicies : [str], default is Undefined, optional + List of disallowed policies for given role. List of disallowed policies for given role. + disallowedPoliciesGlob : [str], default is Undefined, optional + Set of disallowed policies with glob match for given role. Set of disallowed policies with glob match for given role. + id : str, default is Undefined, optional + id + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + orphan : bool, default is Undefined, optional + If true, tokens created against this policy will be orphan tokens. If true, tokens created against this policy will be orphan tokens. + pathSuffix : str, default is Undefined, optional + Tokens created against this role will have the given suffix as part of their path in addition to the role name. Tokens created against this role will have the given suffix as part of their path in addition to the role name. + renewable : bool, default is Undefined, optional + Whether to disable the ability of the token to be renewed past its initial TTL. Whether to disable the ability of the token to be renewed past its initial TTL. + roleName : str, default is Undefined, optional + The name of the role. Name of the role. + tokenBoundCidrs : [str], default is Undefined, optional + List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well. Specifies the blocks of IP addresses which are allowed to use the generated token + tokenExplicitMaxTtl : float, default is Undefined, optional + If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. Generated Token's Explicit Maximum TTL in seconds + tokenMaxTtl : float, default is Undefined, optional + The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The maximum lifetime of the generated token + tokenNoDefaultPolicy : bool, default is Undefined, optional + If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies. If true, the 'default' policy will not automatically be added to generated tokens + tokenNumUses : float, default is Undefined, optional + The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited. The maximum number of times a token may be used, a value of zero means unlimited + tokenPeriod : float, default is Undefined, optional + If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds. Generated Token's Period + tokenPolicies : [str], default is Undefined, optional + Generated Token's Policies + tokenTtl : float, default is Undefined, optional + The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. The initial ttl of the token to generate in seconds + tokenType : str, default is Undefined, optional + The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time. The type of token to generate, service or batch + """ + + + allowedEntityAliases?: [str] + + allowedPolicies?: [str] + + allowedPoliciesGlob?: [str] + + disallowedPolicies?: [str] + + disallowedPoliciesGlob?: [str] + + id?: str + + namespace?: str + + orphan?: bool + + pathSuffix?: str + + renewable?: bool + + roleName?: str + + tokenBoundCidrs?: [str] + + tokenExplicitMaxTtl?: float + + tokenMaxTtl?: float + + tokenNoDefaultPolicy?: bool + + tokenNumUses?: float + + tokenPeriod?: float + + tokenPolicies?: [str] + + tokenTtl?: float + + tokenType?: str + + +schema TokenVaultUpboundIoV1alpha1AuthBackendRoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_alphabet.k b/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_alphabet.k new file mode 100644 index 00000000..a001aca2 --- /dev/null +++ b/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_alphabet.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Alphabet: + r""" + Alphabet is the Schema for the Alphabets API. "/transform/alphabet/{name}" + + Attributes + ---------- + apiVersion : str, default is "transform.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Alphabet", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TransformVaultUpboundIoV1alpha1AlphabetSpec, default is Undefined, required + spec + status : TransformVaultUpboundIoV1alpha1AlphabetStatus, default is Undefined, optional + status + """ + + + apiVersion: "transform.vault.upbound.io/v1alpha1" = "transform.vault.upbound.io/v1alpha1" + + kind: "Alphabet" = "Alphabet" + + metadata?: v1.ObjectMeta + + spec: TransformVaultUpboundIoV1alpha1AlphabetSpec + + status?: TransformVaultUpboundIoV1alpha1AlphabetStatus + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpec: + r""" + AlphabetSpec defines the desired state of Alphabet + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TransformVaultUpboundIoV1alpha1AlphabetSpecForProvider, default is Undefined, required + for provider + initProvider : TransformVaultUpboundIoV1alpha1AlphabetSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TransformVaultUpboundIoV1alpha1AlphabetSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TransformVaultUpboundIoV1alpha1AlphabetSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TransformVaultUpboundIoV1alpha1AlphabetSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TransformVaultUpboundIoV1alpha1AlphabetSpecForProvider + + initProvider?: TransformVaultUpboundIoV1alpha1AlphabetSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TransformVaultUpboundIoV1alpha1AlphabetSpecProviderConfigRef + + providerRef?: TransformVaultUpboundIoV1alpha1AlphabetSpecProviderRef + + publishConnectionDetailsTo?: TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TransformVaultUpboundIoV1alpha1AlphabetSpecWriteConnectionSecretToRef + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecForProvider: + r""" + transform vault upbound io v1alpha1 alphabet spec for provider + + Attributes + ---------- + alphabet : str, default is Undefined, optional + A string of characters that contains the alphabet set. A string of characters that contains the alphabet set. + name : str, default is Undefined, optional + The name of the alphabet. The name of the alphabet. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + """ + + + alphabet?: str + + name?: str + + namespace?: str + + path?: str + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + alphabet : str, default is Undefined, optional + A string of characters that contains the alphabet set. A string of characters that contains the alphabet set. + name : str, default is Undefined, optional + The name of the alphabet. The name of the alphabet. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + """ + + + alphabet?: str + + name?: str + + namespace?: str + + path?: str + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1AlphabetSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1AlphabetSpecProviderConfigRefPolicy + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1AlphabetSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1AlphabetSpecProviderRefPolicy + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToConfigRef + + metadata?: TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToMetadata + + name: str + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToConfigRefPolicy + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1AlphabetSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TransformVaultUpboundIoV1alpha1AlphabetStatus: + r""" + AlphabetStatus defines the observed state of Alphabet. + + Attributes + ---------- + atProvider : TransformVaultUpboundIoV1alpha1AlphabetStatusAtProvider, default is Undefined, optional + at provider + conditions : [TransformVaultUpboundIoV1alpha1AlphabetStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TransformVaultUpboundIoV1alpha1AlphabetStatusAtProvider + + conditions?: [TransformVaultUpboundIoV1alpha1AlphabetStatusConditionsItems0] + + +schema TransformVaultUpboundIoV1alpha1AlphabetStatusAtProvider: + r""" + transform vault upbound io v1alpha1 alphabet status at provider + + Attributes + ---------- + alphabet : str, default is Undefined, optional + A string of characters that contains the alphabet set. A string of characters that contains the alphabet set. + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the alphabet. The name of the alphabet. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + """ + + + alphabet?: str + + id?: str + + name?: str + + namespace?: str + + path?: str + + +schema TransformVaultUpboundIoV1alpha1AlphabetStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_role.k b/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_role.k new file mode 100644 index 00000000..441cad17 --- /dev/null +++ b/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_role.k @@ -0,0 +1,379 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Role: + r""" + Role is the Schema for the Roles API. "/transform/role/{name}" + + Attributes + ---------- + apiVersion : str, default is "transform.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Role", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TransformVaultUpboundIoV1alpha1RoleSpec, default is Undefined, required + spec + status : TransformVaultUpboundIoV1alpha1RoleStatus, default is Undefined, optional + status + """ + + + apiVersion: "transform.vault.upbound.io/v1alpha1" = "transform.vault.upbound.io/v1alpha1" + + kind: "Role" = "Role" + + metadata?: v1.ObjectMeta + + spec: TransformVaultUpboundIoV1alpha1RoleSpec + + status?: TransformVaultUpboundIoV1alpha1RoleStatus + + +schema TransformVaultUpboundIoV1alpha1RoleSpec: + r""" + RoleSpec defines the desired state of Role + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TransformVaultUpboundIoV1alpha1RoleSpecForProvider, default is Undefined, required + for provider + initProvider : TransformVaultUpboundIoV1alpha1RoleSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TransformVaultUpboundIoV1alpha1RoleSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TransformVaultUpboundIoV1alpha1RoleSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TransformVaultUpboundIoV1alpha1RoleSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TransformVaultUpboundIoV1alpha1RoleSpecForProvider + + initProvider?: TransformVaultUpboundIoV1alpha1RoleSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TransformVaultUpboundIoV1alpha1RoleSpecProviderConfigRef + + providerRef?: TransformVaultUpboundIoV1alpha1RoleSpecProviderRef + + publishConnectionDetailsTo?: TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TransformVaultUpboundIoV1alpha1RoleSpecWriteConnectionSecretToRef + + +schema TransformVaultUpboundIoV1alpha1RoleSpecForProvider: + r""" + transform vault upbound io v1alpha1 role spec for provider + + Attributes + ---------- + name : str, default is Undefined, optional + The name of the role. The name of the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + transformations : [str], default is Undefined, optional + A comma separated string or slice of transformations to use. A comma separated string or slice of transformations to use. + """ + + + name?: str + + namespace?: str + + path?: str + + transformations?: [str] + + +schema TransformVaultUpboundIoV1alpha1RoleSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + name : str, default is Undefined, optional + The name of the role. The name of the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + transformations : [str], default is Undefined, optional + A comma separated string or slice of transformations to use. A comma separated string or slice of transformations to use. + """ + + + name?: str + + namespace?: str + + path?: str + + transformations?: [str] + + +schema TransformVaultUpboundIoV1alpha1RoleSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1RoleSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1RoleSpecProviderConfigRefPolicy + + +schema TransformVaultUpboundIoV1alpha1RoleSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1RoleSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1RoleSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1RoleSpecProviderRefPolicy + + +schema TransformVaultUpboundIoV1alpha1RoleSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToConfigRef + + metadata?: TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToMetadata + + name: str + + +schema TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToConfigRefPolicy + + +schema TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1RoleSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1RoleSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TransformVaultUpboundIoV1alpha1RoleStatus: + r""" + RoleStatus defines the observed state of Role. + + Attributes + ---------- + atProvider : TransformVaultUpboundIoV1alpha1RoleStatusAtProvider, default is Undefined, optional + at provider + conditions : [TransformVaultUpboundIoV1alpha1RoleStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TransformVaultUpboundIoV1alpha1RoleStatusAtProvider + + conditions?: [TransformVaultUpboundIoV1alpha1RoleStatusConditionsItems0] + + +schema TransformVaultUpboundIoV1alpha1RoleStatusAtProvider: + r""" + transform vault upbound io v1alpha1 role status at provider + + Attributes + ---------- + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the role. The name of the role. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + transformations : [str], default is Undefined, optional + A comma separated string or slice of transformations to use. A comma separated string or slice of transformations to use. + """ + + + id?: str + + name?: str + + namespace?: str + + path?: str + + transformations?: [str] + + +schema TransformVaultUpboundIoV1alpha1RoleStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_template.k b/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_template.k new file mode 100644 index 00000000..6fde83db --- /dev/null +++ b/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_template.k @@ -0,0 +1,427 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Template: + r""" + Template is the Schema for the Templates API. "/transform/template/{name}" + + Attributes + ---------- + apiVersion : str, default is "transform.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Template", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TransformVaultUpboundIoV1alpha1TemplateSpec, default is Undefined, required + spec + status : TransformVaultUpboundIoV1alpha1TemplateStatus, default is Undefined, optional + status + """ + + + apiVersion: "transform.vault.upbound.io/v1alpha1" = "transform.vault.upbound.io/v1alpha1" + + kind: "Template" = "Template" + + metadata?: v1.ObjectMeta + + spec: TransformVaultUpboundIoV1alpha1TemplateSpec + + status?: TransformVaultUpboundIoV1alpha1TemplateStatus + + +schema TransformVaultUpboundIoV1alpha1TemplateSpec: + r""" + TemplateSpec defines the desired state of Template + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TransformVaultUpboundIoV1alpha1TemplateSpecForProvider, default is Undefined, required + for provider + initProvider : TransformVaultUpboundIoV1alpha1TemplateSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TransformVaultUpboundIoV1alpha1TemplateSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TransformVaultUpboundIoV1alpha1TemplateSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TransformVaultUpboundIoV1alpha1TemplateSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TransformVaultUpboundIoV1alpha1TemplateSpecForProvider + + initProvider?: TransformVaultUpboundIoV1alpha1TemplateSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TransformVaultUpboundIoV1alpha1TemplateSpecProviderConfigRef + + providerRef?: TransformVaultUpboundIoV1alpha1TemplateSpecProviderRef + + publishConnectionDetailsTo?: TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TransformVaultUpboundIoV1alpha1TemplateSpecWriteConnectionSecretToRef + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecForProvider: + r""" + transform vault upbound io v1alpha1 template spec for provider + + Attributes + ---------- + alphabet : str, default is Undefined, optional + The alphabet to use for this template. This is only used during FPE transformations. The alphabet to use for this template. This is only used during FPE transformations. + decodeFormats : {str:str}, default is Undefined, optional + - Optional mapping of name to regular expression template, used to customize the decoded output. (requires Vault Enterprise 1.9+) The map of regular expression templates used to customize decoded outputs. Only applicable to FPE transformations. + encodeFormat : str, default is Undefined, optional + - The regular expression template used to format encoded values. (requires Vault Enterprise 1.9+) The regular expression template used for encoding values. Only applicable to FPE transformations. + name : str, default is Undefined, optional + The name of the template. The name of the template. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + pattern : str, default is Undefined, optional + The pattern used for matching. Currently, only regular expression pattern is supported. The pattern used for matching. Currently, only regular expression pattern is supported. + $type : str, default is Undefined, optional + The pattern type to use for match detection. Currently, only regex is supported. The pattern type to use for match detection. Currently, only regex is supported. + """ + + + alphabet?: str + + decodeFormats?: {str:str} + + encodeFormat?: str + + name?: str + + namespace?: str + + path?: str + + pattern?: str + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + alphabet : str, default is Undefined, optional + The alphabet to use for this template. This is only used during FPE transformations. The alphabet to use for this template. This is only used during FPE transformations. + decodeFormats : {str:str}, default is Undefined, optional + - Optional mapping of name to regular expression template, used to customize the decoded output. (requires Vault Enterprise 1.9+) The map of regular expression templates used to customize decoded outputs. Only applicable to FPE transformations. + encodeFormat : str, default is Undefined, optional + - The regular expression template used to format encoded values. (requires Vault Enterprise 1.9+) The regular expression template used for encoding values. Only applicable to FPE transformations. + name : str, default is Undefined, optional + The name of the template. The name of the template. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + pattern : str, default is Undefined, optional + The pattern used for matching. Currently, only regular expression pattern is supported. The pattern used for matching. Currently, only regular expression pattern is supported. + $type : str, default is Undefined, optional + The pattern type to use for match detection. Currently, only regex is supported. The pattern type to use for match detection. Currently, only regex is supported. + """ + + + alphabet?: str + + decodeFormats?: {str:str} + + encodeFormat?: str + + name?: str + + namespace?: str + + path?: str + + pattern?: str + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1TemplateSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1TemplateSpecProviderConfigRefPolicy + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1TemplateSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1TemplateSpecProviderRefPolicy + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToConfigRef + + metadata?: TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToMetadata + + name: str + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToConfigRefPolicy + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1TemplateSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TransformVaultUpboundIoV1alpha1TemplateStatus: + r""" + TemplateStatus defines the observed state of Template. + + Attributes + ---------- + atProvider : TransformVaultUpboundIoV1alpha1TemplateStatusAtProvider, default is Undefined, optional + at provider + conditions : [TransformVaultUpboundIoV1alpha1TemplateStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TransformVaultUpboundIoV1alpha1TemplateStatusAtProvider + + conditions?: [TransformVaultUpboundIoV1alpha1TemplateStatusConditionsItems0] + + +schema TransformVaultUpboundIoV1alpha1TemplateStatusAtProvider: + r""" + transform vault upbound io v1alpha1 template status at provider + + Attributes + ---------- + alphabet : str, default is Undefined, optional + The alphabet to use for this template. This is only used during FPE transformations. The alphabet to use for this template. This is only used during FPE transformations. + decodeFormats : {str:str}, default is Undefined, optional + - Optional mapping of name to regular expression template, used to customize the decoded output. (requires Vault Enterprise 1.9+) The map of regular expression templates used to customize decoded outputs. Only applicable to FPE transformations. + encodeFormat : str, default is Undefined, optional + - The regular expression template used to format encoded values. (requires Vault Enterprise 1.9+) The regular expression template used for encoding values. Only applicable to FPE transformations. + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the template. The name of the template. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + pattern : str, default is Undefined, optional + The pattern used for matching. Currently, only regular expression pattern is supported. The pattern used for matching. Currently, only regular expression pattern is supported. + $type : str, default is Undefined, optional + The pattern type to use for match detection. Currently, only regex is supported. The pattern type to use for match detection. Currently, only regex is supported. + """ + + + alphabet?: str + + decodeFormats?: {str:str} + + encodeFormat?: str + + id?: str + + name?: str + + namespace?: str + + path?: str + + pattern?: str + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1TemplateStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_transformation.k b/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_transformation.k new file mode 100644 index 00000000..8c488e0f --- /dev/null +++ b/crossplane-provider-vault/transform/v1alpha1/transform_vault_upbound_io_v1alpha1_transformation.k @@ -0,0 +1,451 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Transformation: + r""" + Transformation is the Schema for the Transformations API. "/transform/transformation/{name}" + + Attributes + ---------- + apiVersion : str, default is "transform.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Transformation", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TransformVaultUpboundIoV1alpha1TransformationSpec, default is Undefined, required + spec + status : TransformVaultUpboundIoV1alpha1TransformationStatus, default is Undefined, optional + status + """ + + + apiVersion: "transform.vault.upbound.io/v1alpha1" = "transform.vault.upbound.io/v1alpha1" + + kind: "Transformation" = "Transformation" + + metadata?: v1.ObjectMeta + + spec: TransformVaultUpboundIoV1alpha1TransformationSpec + + status?: TransformVaultUpboundIoV1alpha1TransformationStatus + + +schema TransformVaultUpboundIoV1alpha1TransformationSpec: + r""" + TransformationSpec defines the desired state of Transformation + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TransformVaultUpboundIoV1alpha1TransformationSpecForProvider, default is Undefined, required + for provider + initProvider : TransformVaultUpboundIoV1alpha1TransformationSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TransformVaultUpboundIoV1alpha1TransformationSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TransformVaultUpboundIoV1alpha1TransformationSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TransformVaultUpboundIoV1alpha1TransformationSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TransformVaultUpboundIoV1alpha1TransformationSpecForProvider + + initProvider?: TransformVaultUpboundIoV1alpha1TransformationSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TransformVaultUpboundIoV1alpha1TransformationSpecProviderConfigRef + + providerRef?: TransformVaultUpboundIoV1alpha1TransformationSpecProviderRef + + publishConnectionDetailsTo?: TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TransformVaultUpboundIoV1alpha1TransformationSpecWriteConnectionSecretToRef + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecForProvider: + r""" + transform vault upbound io v1alpha1 transformation spec for provider + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + The set of roles allowed to perform this transformation. The set of roles allowed to perform this transformation. + deletionAllowed : bool, default is Undefined, optional + If true, this transform can be deleted. Otherwise, deletion is blocked while this value remains false. Default: false Only supported on vault-1.12+ If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false. + maskingCharacter : str, default is Undefined, optional + The character used to replace data when in masking mode The character used to replace data when in masking mode + name : str, default is Undefined, optional + The name of the transformation. The name of the transformation. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + template : str, default is Undefined, optional + The name of the template to use. The name of the template to use. + templates : [str], default is Undefined, optional + Templates configured for transformation. Templates configured for transformation. + tweakSource : str, default is Undefined, optional + The source of where the tweak value comes from. Only valid when in FPE mode. The source of where the tweak value comes from. Only valid when in FPE mode. + $type : str, default is Undefined, optional + The type of transformation to perform. The type of transformation to perform. + """ + + + allowedRoles?: [str] + + deletionAllowed?: bool + + maskingCharacter?: str + + name?: str + + namespace?: str + + path?: str + + template?: str + + templates?: [str] + + tweakSource?: str + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + The set of roles allowed to perform this transformation. The set of roles allowed to perform this transformation. + deletionAllowed : bool, default is Undefined, optional + If true, this transform can be deleted. Otherwise, deletion is blocked while this value remains false. Default: false Only supported on vault-1.12+ If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false. + maskingCharacter : str, default is Undefined, optional + The character used to replace data when in masking mode The character used to replace data when in masking mode + name : str, default is Undefined, optional + The name of the transformation. The name of the transformation. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + template : str, default is Undefined, optional + The name of the template to use. The name of the template to use. + templates : [str], default is Undefined, optional + Templates configured for transformation. Templates configured for transformation. + tweakSource : str, default is Undefined, optional + The source of where the tweak value comes from. Only valid when in FPE mode. The source of where the tweak value comes from. Only valid when in FPE mode. + $type : str, default is Undefined, optional + The type of transformation to perform. The type of transformation to perform. + """ + + + allowedRoles?: [str] + + deletionAllowed?: bool + + maskingCharacter?: str + + name?: str + + namespace?: str + + path?: str + + template?: str + + templates?: [str] + + tweakSource?: str + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1TransformationSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1TransformationSpecProviderConfigRefPolicy + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1TransformationSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1TransformationSpecProviderRefPolicy + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToConfigRef + + metadata?: TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToMetadata + + name: str + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToConfigRefPolicy + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1TransformationSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TransformVaultUpboundIoV1alpha1TransformationStatus: + r""" + TransformationStatus defines the observed state of Transformation. + + Attributes + ---------- + atProvider : TransformVaultUpboundIoV1alpha1TransformationStatusAtProvider, default is Undefined, optional + at provider + conditions : [TransformVaultUpboundIoV1alpha1TransformationStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TransformVaultUpboundIoV1alpha1TransformationStatusAtProvider + + conditions?: [TransformVaultUpboundIoV1alpha1TransformationStatusConditionsItems0] + + +schema TransformVaultUpboundIoV1alpha1TransformationStatusAtProvider: + r""" + transform vault upbound io v1alpha1 transformation status at provider + + Attributes + ---------- + allowedRoles : [str], default is Undefined, optional + The set of roles allowed to perform this transformation. The set of roles allowed to perform this transformation. + deletionAllowed : bool, default is Undefined, optional + If true, this transform can be deleted. Otherwise, deletion is blocked while this value remains false. Default: false Only supported on vault-1.12+ If true, this transform can be deleted. Otherwise deletion is blocked while this value remains false. + id : str, default is Undefined, optional + id + maskingCharacter : str, default is Undefined, optional + The character used to replace data when in masking mode The character used to replace data when in masking mode + name : str, default is Undefined, optional + The name of the transformation. The name of the transformation. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + Path to where the back-end is mounted within Vault. The mount path for a back-end, for example, the path given in "$ vault auth enable -path=my-aws aws". + template : str, default is Undefined, optional + The name of the template to use. The name of the template to use. + templates : [str], default is Undefined, optional + Templates configured for transformation. Templates configured for transformation. + tweakSource : str, default is Undefined, optional + The source of where the tweak value comes from. Only valid when in FPE mode. The source of where the tweak value comes from. Only valid when in FPE mode. + $type : str, default is Undefined, optional + The type of transformation to perform. The type of transformation to perform. + """ + + + allowedRoles?: [str] + + deletionAllowed?: bool + + id?: str + + maskingCharacter?: str + + name?: str + + namespace?: str + + path?: str + + template?: str + + templates?: [str] + + tweakSource?: str + + $type?: str + + +schema TransformVaultUpboundIoV1alpha1TransformationStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/transit/v1alpha1/transit_vault_upbound_io_v1alpha1_secret_backend_key.k b/crossplane-provider-vault/transit/v1alpha1/transit_vault_upbound_io_v1alpha1_secret_backend_key.k new file mode 100644 index 00000000..0fd281e9 --- /dev/null +++ b/crossplane-provider-vault/transit/v1alpha1/transit_vault_upbound_io_v1alpha1_secret_backend_key.k @@ -0,0 +1,527 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema SecretBackendKey: + r""" + SecretBackendKey is the Schema for the SecretBackendKeys API. Create an Encryption Keyring on a Transit Secret Backend for Vault. + + Attributes + ---------- + apiVersion : str, default is "transit.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "SecretBackendKey", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : TransitVaultUpboundIoV1alpha1SecretBackendKeySpec, default is Undefined, required + spec + status : TransitVaultUpboundIoV1alpha1SecretBackendKeyStatus, default is Undefined, optional + status + """ + + + apiVersion: "transit.vault.upbound.io/v1alpha1" = "transit.vault.upbound.io/v1alpha1" + + kind: "SecretBackendKey" = "SecretBackendKey" + + metadata?: v1.ObjectMeta + + spec: TransitVaultUpboundIoV1alpha1SecretBackendKeySpec + + status?: TransitVaultUpboundIoV1alpha1SecretBackendKeyStatus + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpec: + r""" + SecretBackendKeySpec defines the desired state of SecretBackendKey + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecForProvider, default is Undefined, required + for provider + initProvider : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecForProvider + + initProvider?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderConfigRef + + providerRef?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderRef + + publishConnectionDetailsTo?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecWriteConnectionSecretToRef + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecForProvider: + r""" + transit vault upbound io v1alpha1 secret backend key spec for provider + + Attributes + ---------- + allowPlaintextBackup : bool, default is Undefined, optional + Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. + autoRotateInterval : float, default is Undefined, optional + Replaced by auto_rotate_period. Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + autoRotatePeriod : float, default is Undefined, optional + Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + backend : str, default is Undefined, optional + The path the transit secret backend is mounted at, with no leading or trailing /s. The Transit secret backend the resource belongs to. + convergentEncryption : bool, default is Undefined, optional + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. + deletionAllowed : bool, default is Undefined, optional + Specifies if the keyring is allowed to be deleted. Specifies if the key is allowed to be deleted. + derived : bool, default is Undefined, optional + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. + exportable : bool, default is Undefined, optional + Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled. Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. + keySize : float, default is Undefined, optional + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. + minDecryptionVersion : float, default is Undefined, optional + Minimum key version to use for decryption. Minimum key version to use for decryption. + minEncryptionVersion : float, default is Undefined, optional + Minimum key version to use for encryption Minimum key version to use for encryption + name : str, default is Undefined, optional + The name to identify this key within the backend. Must be unique within the backend. Name of the encryption key to create. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + $type : str, default is Undefined, optional + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 + """ + + + allowPlaintextBackup?: bool + + autoRotateInterval?: float + + autoRotatePeriod?: float + + backend?: str + + convergentEncryption?: bool + + deletionAllowed?: bool + + derived?: bool + + exportable?: bool + + keySize?: float + + minDecryptionVersion?: float + + minEncryptionVersion?: float + + name?: str + + namespace?: str + + $type?: str + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowPlaintextBackup : bool, default is Undefined, optional + Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. + autoRotateInterval : float, default is Undefined, optional + Replaced by auto_rotate_period. Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + autoRotatePeriod : float, default is Undefined, optional + Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + backend : str, default is Undefined, optional + The path the transit secret backend is mounted at, with no leading or trailing /s. The Transit secret backend the resource belongs to. + convergentEncryption : bool, default is Undefined, optional + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. + deletionAllowed : bool, default is Undefined, optional + Specifies if the keyring is allowed to be deleted. Specifies if the key is allowed to be deleted. + derived : bool, default is Undefined, optional + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. + exportable : bool, default is Undefined, optional + Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled. Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. + keySize : float, default is Undefined, optional + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. + minDecryptionVersion : float, default is Undefined, optional + Minimum key version to use for decryption. Minimum key version to use for decryption. + minEncryptionVersion : float, default is Undefined, optional + Minimum key version to use for encryption Minimum key version to use for encryption + name : str, default is Undefined, optional + The name to identify this key within the backend. Must be unique within the backend. Name of the encryption key to create. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + $type : str, default is Undefined, optional + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 + """ + + + allowPlaintextBackup?: bool + + autoRotateInterval?: float + + autoRotatePeriod?: float + + backend?: str + + convergentEncryption?: bool + + deletionAllowed?: bool + + derived?: bool + + exportable?: bool + + keySize?: float + + minDecryptionVersion?: float + + minEncryptionVersion?: float + + name?: str + + namespace?: str + + $type?: str + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderConfigRefPolicy + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderRefPolicy + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToConfigRef + + metadata?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToMetadata + + name: str + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToConfigRefPolicy + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeySpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeyStatus: + r""" + SecretBackendKeyStatus defines the observed state of SecretBackendKey. + + Attributes + ---------- + atProvider : TransitVaultUpboundIoV1alpha1SecretBackendKeyStatusAtProvider, default is Undefined, optional + at provider + conditions : [TransitVaultUpboundIoV1alpha1SecretBackendKeyStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: TransitVaultUpboundIoV1alpha1SecretBackendKeyStatusAtProvider + + conditions?: [TransitVaultUpboundIoV1alpha1SecretBackendKeyStatusConditionsItems0] + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeyStatusAtProvider: + r""" + transit vault upbound io v1alpha1 secret backend key status at provider + + Attributes + ---------- + allowPlaintextBackup : bool, default is Undefined, optional + Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled. If set, enables taking backup of named key in the plaintext format. Once set, this cannot be disabled. + autoRotateInterval : float, default is Undefined, optional + Replaced by auto_rotate_period. Amount of time the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + autoRotatePeriod : float, default is Undefined, optional + Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key. + backend : str, default is Undefined, optional + The path the transit secret backend is mounted at, with no leading or trailing /s. The Transit secret backend the resource belongs to. + convergentEncryption : bool, default is Undefined, optional + Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true. + deletionAllowed : bool, default is Undefined, optional + Specifies if the keyring is allowed to be deleted. Specifies if the key is allowed to be deleted. + derived : bool, default is Undefined, optional + Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation. + exportable : bool, default is Undefined, optional + Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled. Enables keys to be exportable. This allows for all the valid keys in the key ring to be exported. Once set, this cannot be disabled. + id : str, default is Undefined, optional + id + keySize : float, default is Undefined, optional + The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes. The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC; this value must be between 32 and 512. + keys : [{str:str}], default is Undefined, optional + List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key. List of key versions in the keyring. + latestVersion : float, default is Undefined, optional + Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0 Latest key version in use in the keyring + minAvailableVersion : float, default is Undefined, optional + Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change. Minimum key version available for use. + minDecryptionVersion : float, default is Undefined, optional + Minimum key version to use for decryption. Minimum key version to use for decryption. + minEncryptionVersion : float, default is Undefined, optional + Minimum key version to use for encryption Minimum key version to use for encryption + name : str, default is Undefined, optional + The name to identify this key within the backend. Must be unique within the backend. Name of the encryption key to create. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + supportsDecryption : bool, default is Undefined, optional + Whether or not the key supports decryption, based on key type. Whether or not the key supports decryption, based on key type. + supportsDerivation : bool, default is Undefined, optional + Whether or not the key supports derivation, based on key type. Whether or not the key supports derivation, based on key type. + supportsEncryption : bool, default is Undefined, optional + Whether or not the key supports encryption, based on key type. Whether or not the key supports encryption, based on key type. + supportsSigning : bool, default is Undefined, optional + Whether or not the key supports signing, based on key type. Whether or not the key supports signing, based on key type. + $type : str, default is Undefined, optional + Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096. Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96, chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072, rsa-4096 + """ + + + allowPlaintextBackup?: bool + + autoRotateInterval?: float + + autoRotatePeriod?: float + + backend?: str + + convergentEncryption?: bool + + deletionAllowed?: bool + + derived?: bool + + exportable?: bool + + id?: str + + keySize?: float + + keys?: [{str:str}] + + latestVersion?: float + + minAvailableVersion?: float + + minDecryptionVersion?: float + + minEncryptionVersion?: float + + name?: str + + namespace?: str + + supportsDecryption?: bool + + supportsDerivation?: bool + + supportsEncryption?: bool + + supportsSigning?: bool + + $type?: str + + +schema TransitVaultUpboundIoV1alpha1SecretBackendKeyStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/v1alpha1/vault_upbound_io_v1alpha1_store_config.k b/crossplane-provider-vault/v1alpha1/vault_upbound_io_v1alpha1_store_config.k new file mode 100644 index 00000000..83ff3823 --- /dev/null +++ b/crossplane-provider-vault/v1alpha1/vault_upbound_io_v1alpha1_store_config.k @@ -0,0 +1,441 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema StoreConfig: + r""" + A StoreConfig configures how vault controller should store connection details. + + Attributes + ---------- + apiVersion : str, default is "vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "StoreConfig", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : VaultUpboundIoV1alpha1StoreConfigSpec, default is Undefined, required + spec + status : VaultUpboundIoV1alpha1StoreConfigStatus, default is Undefined, optional + status + """ + + + apiVersion: "vault.upbound.io/v1alpha1" = "vault.upbound.io/v1alpha1" + + kind: "StoreConfig" = "StoreConfig" + + metadata?: v1.ObjectMeta + + spec: VaultUpboundIoV1alpha1StoreConfigSpec + + status?: VaultUpboundIoV1alpha1StoreConfigStatus + + +schema VaultUpboundIoV1alpha1StoreConfigSpec: + r""" + A StoreConfigSpec defines the desired state of a ProviderConfig. + + Attributes + ---------- + defaultScope : str, default is Undefined, required + DefaultScope used for scoping secrets for "cluster-scoped" resources. If store type is "Kubernetes", this would mean the default namespace to store connection secrets for cluster scoped resources. In case of "Vault", this would be used as the default parent path. Typically, should be set as Crossplane installation namespace. + kubernetes : VaultUpboundIoV1alpha1StoreConfigSpecKubernetes, default is Undefined, optional + kubernetes + plugin : VaultUpboundIoV1alpha1StoreConfigSpecPlugin, default is Undefined, optional + plugin + $type : str, default is "Kubernetes", optional + Type configures which secret store to be used. Only the configuration block for this store will be used and others will be ignored if provided. Default is Kubernetes. + vault : VaultUpboundIoV1alpha1StoreConfigSpecVault, default is Undefined, optional + vault + """ + + + defaultScope: str + + kubernetes?: VaultUpboundIoV1alpha1StoreConfigSpecKubernetes + + plugin?: VaultUpboundIoV1alpha1StoreConfigSpecPlugin + + $type?: "Kubernetes" | "Vault" | "Plugin" = "Kubernetes" + + vault?: VaultUpboundIoV1alpha1StoreConfigSpecVault + + +schema VaultUpboundIoV1alpha1StoreConfigSpecKubernetes: + r""" + Kubernetes configures a Kubernetes secret store. If the "type" is "Kubernetes" but no config provided, in cluster config will be used. + + Attributes + ---------- + auth : VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuth, default is Undefined, required + auth + """ + + + auth: VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuth + + +schema VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuth: + r""" + Credentials used to connect to the Kubernetes API. + + Attributes + ---------- + env : VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthEnv, default is Undefined, optional + env + fs : VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthFs, default is Undefined, optional + fs + secretRef : VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthSecretRef, default is Undefined, optional + secret ref + source : str, default is Undefined, required + Source of the credentials. + """ + + + env?: VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthEnv + + fs?: VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthFs + + secretRef?: VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthSecretRef + + source: "None" | "Secret" | "Environment" | "Filesystem" + + +schema VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthEnv: + r""" + Env is a reference to an environment variable that contains credentials that must be used to connect to the provider. + + Attributes + ---------- + name : str, default is Undefined, required + Name is the name of an environment variable. + """ + + + name: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthFs: + r""" + Fs is a reference to a filesystem location that contains credentials that must be used to connect to the provider. + + Attributes + ---------- + path : str, default is Undefined, required + Path is a filesystem path. + """ + + + path: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecKubernetesAuthSecretRef: + r""" + A SecretRef is a reference to a secret key that contains the credentials that must be used to connect to the provider. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecPlugin: + r""" + Plugin configures External secret store as a plugin. + + Attributes + ---------- + configRef : VaultUpboundIoV1alpha1StoreConfigSpecPluginConfigRef, default is Undefined, optional + config ref + endpoint : str, default is Undefined, optional + Endpoint is the endpoint of the gRPC server. + """ + + + configRef?: VaultUpboundIoV1alpha1StoreConfigSpecPluginConfigRef + + endpoint?: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecPluginConfigRef: + r""" + ConfigRef contains store config reference info. + + Attributes + ---------- + apiVersion : str, default is Undefined, required + APIVersion of the referenced config. + kind : str, default is Undefined, required + Kind of the referenced config. + name : str, default is Undefined, required + Name of the referenced config. + """ + + + apiVersion: str + + kind: str + + name: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVault: + r""" + Vault configures a Vault secret store. Deprecated: This API is scheduled to be removed in a future release. Vault should be used as a plugin going forward. See https://github.com/crossplane-contrib/ess-plugin-vault for more information. + + Attributes + ---------- + auth : VaultUpboundIoV1alpha1StoreConfigSpecVaultAuth, default is Undefined, required + auth + caBundle : VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundle, default is Undefined, optional + ca bundle + mountPath : str, default is Undefined, required + MountPath is the mount path of the KV secrets engine. + server : str, default is Undefined, required + Server is the url of the Vault server, e.g. "https://vault.acme.org" + version : str, default is "v2", optional + Version of the KV Secrets engine of Vault. https://www.vaultproject.io/docs/secrets/kv + """ + + + auth: VaultUpboundIoV1alpha1StoreConfigSpecVaultAuth + + caBundle?: VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundle + + mountPath: str + + server: str + + version?: str = "v2" + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultAuth: + r""" + Auth configures an authentication method for Vault. + + Attributes + ---------- + method : str, default is Undefined, required + Method configures which auth method will be used. + token : VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthToken, default is Undefined, optional + token + """ + + + method: str + + token?: VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthToken + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthToken: + r""" + Token configures Token Auth for Vault. + + Attributes + ---------- + env : VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenEnv, default is Undefined, optional + env + fs : VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenFs, default is Undefined, optional + fs + secretRef : VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenSecretRef, default is Undefined, optional + secret ref + source : str, default is Undefined, required + Source of the credentials. + """ + + + env?: VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenEnv + + fs?: VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenFs + + secretRef?: VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenSecretRef + + source: "None" | "Secret" | "Environment" | "Filesystem" + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenEnv: + r""" + Env is a reference to an environment variable that contains credentials that must be used to connect to the provider. + + Attributes + ---------- + name : str, default is Undefined, required + Name is the name of an environment variable. + """ + + + name: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenFs: + r""" + Fs is a reference to a filesystem location that contains credentials that must be used to connect to the provider. + + Attributes + ---------- + path : str, default is Undefined, required + Path is a filesystem path. + """ + + + path: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultAuthTokenSecretRef: + r""" + A SecretRef is a reference to a secret key that contains the credentials that must be used to connect to the provider. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundle: + r""" + CABundle configures CA bundle for Vault Server. + + Attributes + ---------- + env : VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleEnv, default is Undefined, optional + env + fs : VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleFs, default is Undefined, optional + fs + secretRef : VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleSecretRef, default is Undefined, optional + secret ref + source : str, default is Undefined, required + Source of the credentials. + """ + + + env?: VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleEnv + + fs?: VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleFs + + secretRef?: VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleSecretRef + + source: "None" | "Secret" | "Environment" | "Filesystem" + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleEnv: + r""" + Env is a reference to an environment variable that contains credentials that must be used to connect to the provider. + + Attributes + ---------- + name : str, default is Undefined, required + Name is the name of an environment variable. + """ + + + name: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleFs: + r""" + Fs is a reference to a filesystem location that contains credentials that must be used to connect to the provider. + + Attributes + ---------- + path : str, default is Undefined, required + Path is a filesystem path. + """ + + + path: str + + +schema VaultUpboundIoV1alpha1StoreConfigSpecVaultCaBundleSecretRef: + r""" + A SecretRef is a reference to a secret key that contains the credentials that must be used to connect to the provider. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema VaultUpboundIoV1alpha1StoreConfigStatus: + r""" + A StoreConfigStatus represents the status of a StoreConfig. + + Attributes + ---------- + conditions : [VaultUpboundIoV1alpha1StoreConfigStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + conditions?: [VaultUpboundIoV1alpha1StoreConfigStatusConditionsItems0] + + +schema VaultUpboundIoV1alpha1StoreConfigStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/v1beta1/vault_upbound_io_v1beta1_provider_config.k b/crossplane-provider-vault/v1beta1/vault_upbound_io_v1beta1_provider_config.k new file mode 100644 index 00000000..d5094a71 --- /dev/null +++ b/crossplane-provider-vault/v1beta1/vault_upbound_io_v1beta1_provider_config.k @@ -0,0 +1,241 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema ProviderConfig: + r""" + A ProviderConfig configures a Vault provider. + + Attributes + ---------- + apiVersion : str, default is "vault.upbound.io/v1beta1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "ProviderConfig", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : VaultUpboundIoV1beta1ProviderConfigSpec, default is Undefined, required + spec + status : VaultUpboundIoV1beta1ProviderConfigStatus, default is Undefined, optional + status + """ + + + apiVersion: "vault.upbound.io/v1beta1" = "vault.upbound.io/v1beta1" + + kind: "ProviderConfig" = "ProviderConfig" + + metadata?: v1.ObjectMeta + + spec: VaultUpboundIoV1beta1ProviderConfigSpec + + status?: VaultUpboundIoV1beta1ProviderConfigStatus + + +schema VaultUpboundIoV1beta1ProviderConfigSpec: + r""" + A ProviderConfigSpec defines the desired state of a ProviderConfig. + + Attributes + ---------- + add_address_to_env : bool, default is Undefined, optional + If true the environment variable VAULT_ADDR in the Terraform process environment will be set to the value of the address argument from this provider. By default, this is false. + address : str, default is Undefined, required + Required origin URL of the Vault server. This is a URL with a scheme, a hostname and a port but with no path. + credentials : VaultUpboundIoV1beta1ProviderConfigSpecCredentials, default is Undefined, optional + credentials + headers : VaultUpboundIoV1beta1ProviderConfigSpecHeaders, default is Undefined, optional + headers + max_lease_ttl_seconds : int, default is Undefined, optional + Used as the duration for the intermediate Vault token Terraform issues itself, which in turn limits the duration of secret leases issued by Vault. Defaults to 20 minutes. + max_retries : int, default is Undefined, optional + Used as the maximum number of retries when a 5xx error code is encountered. Defaults to 2 retries. + max_retries_ccc : int, default is Undefined, optional + Maximum number of retries for Client Controlled Consistency related operations. Defaults to 10 retries. + namespace : str, default is Undefined, optional + Set the namespace to use. + skip_child_token : bool, default is Undefined, optional + Set this to true to disable creation of an intermediate ephemeral Vault token for Terraform to use. Enabling this is strongly discouraged since it increases the potential for a renewable Vault token being exposed in clear text. Only change this setting when the provided token cannot be permitted to create child tokens and there is no risk of exposure from the output of Terraform. + skip_get_vault_version : bool, default is Undefined, optional + Skip the dynamic fetching of the Vault server version. Set to true when the /sys/seal-status API endpoint is not available. + skip_tls_verify : bool, default is Undefined, optional + Set this to true to disable verification of the Vault server's TLS certificate. This is strongly discouraged except in prototype or development environments, since it exposes the possibility that Terraform can be tricked into writing secrets to a server controlled by an intruder. + tls_server_name : str, default is Undefined, optional + Name to use as the SNI host when connecting via TLS. + vault_version_override : str, default is Undefined, optional + Override the target Vault server semantic version. Normally the version is dynamically set from the /sys/seal-status API endpoint. In the case where this endpoint is not available an override can be specified here. + """ + + + add_address_to_env?: bool + + address: str + + credentials?: VaultUpboundIoV1beta1ProviderConfigSpecCredentials + + headers?: VaultUpboundIoV1beta1ProviderConfigSpecHeaders + + max_lease_ttl_seconds?: int + + max_retries?: int + + max_retries_ccc?: int + + namespace?: str + + skip_child_token?: bool + + skip_get_vault_version?: bool + + skip_tls_verify?: bool + + tls_server_name?: str + + vault_version_override?: str + + +schema VaultUpboundIoV1beta1ProviderConfigSpecCredentials: + r""" + Credentials required to authenticate to this provider. There are many options to authenticate. They include - token - (Optional) Vault token that will be used by Terraform to authenticate. May be set via the VAULT_TOKEN environment variable. If none is otherwise supplied, Terraform will attempt to read it from ~/.vault-token (where the vault command stores its current token). Terraform will issue itself a new token that is a child of the one given, with a short TTL to limit the exposure of any requested secrets, unless skip_child_token is set to true (see below). Note that the given token must have the update capability on the auth/token/create path in Vault in order to create child tokens. A token is required for the provider. A token can explicitly set via token argument, alternatively a token can be dynamically set via an auth_login* block. + + Attributes + ---------- + env : VaultUpboundIoV1beta1ProviderConfigSpecCredentialsEnv, default is Undefined, optional + env + fs : VaultUpboundIoV1beta1ProviderConfigSpecCredentialsFs, default is Undefined, optional + fs + secretRef : VaultUpboundIoV1beta1ProviderConfigSpecCredentialsSecretRef, default is Undefined, optional + secret ref + source : str, default is Undefined, required + Source of the provider credentials. + """ + + + env?: VaultUpboundIoV1beta1ProviderConfigSpecCredentialsEnv + + fs?: VaultUpboundIoV1beta1ProviderConfigSpecCredentialsFs + + secretRef?: VaultUpboundIoV1beta1ProviderConfigSpecCredentialsSecretRef + + source: "None" | "Secret" | "InjectedIdentity" | "Environment" | "Filesystem" + + +schema VaultUpboundIoV1beta1ProviderConfigSpecCredentialsEnv: + r""" + Env is a reference to an environment variable that contains credentials that must be used to connect to the provider. + + Attributes + ---------- + name : str, default is Undefined, required + Name is the name of an environment variable. + """ + + + name: str + + +schema VaultUpboundIoV1beta1ProviderConfigSpecCredentialsFs: + r""" + Fs is a reference to a filesystem location that contains credentials that must be used to connect to the provider. + + Attributes + ---------- + path : str, default is Undefined, required + Path is a filesystem path. + """ + + + path: str + + +schema VaultUpboundIoV1beta1ProviderConfigSpecCredentialsSecretRef: + r""" + A SecretRef is a reference to a secret key that contains the credentials that must be used to connect to the provider. + + Attributes + ---------- + key : str, default is Undefined, required + The key to select. + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + key: str + + name: str + + namespace: str + + +schema VaultUpboundIoV1beta1ProviderConfigSpecHeaders: + r""" + A configuration block, described below, that provides headers to be sent along with all requests to the Vault server. This block can be specified multiple times. + + Attributes + ---------- + name : str, default is Undefined, required + Required header name + value : str, default is Undefined, required + Required header value + """ + + + name: str + + value: str + + +schema VaultUpboundIoV1beta1ProviderConfigStatus: + r""" + A ProviderConfigStatus reflects the observed state of a ProviderConfig. + + Attributes + ---------- + conditions : [VaultUpboundIoV1beta1ProviderConfigStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + users : int, default is Undefined, optional + Users of this provider configuration. + """ + + + conditions?: [VaultUpboundIoV1beta1ProviderConfigStatusConditionsItems0] + + users?: int + + +schema VaultUpboundIoV1beta1ProviderConfigStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/v1beta1/vault_upbound_io_v1beta1_provider_config_usage.k b/crossplane-provider-vault/v1beta1/vault_upbound_io_v1beta1_provider_config_usage.k new file mode 100644 index 00000000..c50b0436 --- /dev/null +++ b/crossplane-provider-vault/v1beta1/vault_upbound_io_v1beta1_provider_config_usage.k @@ -0,0 +1,99 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema ProviderConfigUsage: + r""" + A ProviderConfigUsage indicates that a resource is using a ProviderConfig. + + Attributes + ---------- + apiVersion : str, default is "vault.upbound.io/v1beta1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "ProviderConfigUsage", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + providerConfigRef : VaultUpboundIoV1beta1ProviderConfigUsageProviderConfigRef, default is Undefined, required + provider config ref + resourceRef : VaultUpboundIoV1beta1ProviderConfigUsageResourceRef, default is Undefined, required + resource ref + """ + + + apiVersion: "vault.upbound.io/v1beta1" = "vault.upbound.io/v1beta1" + + kind: "ProviderConfigUsage" = "ProviderConfigUsage" + + metadata?: v1.ObjectMeta + + providerConfigRef: VaultUpboundIoV1beta1ProviderConfigUsageProviderConfigRef + + resourceRef: VaultUpboundIoV1beta1ProviderConfigUsageResourceRef + + +schema VaultUpboundIoV1beta1ProviderConfigUsageProviderConfigRef: + r""" + ProviderConfigReference to the provider config being used. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultUpboundIoV1beta1ProviderConfigUsageProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultUpboundIoV1beta1ProviderConfigUsageProviderConfigRefPolicy + + +schema VaultUpboundIoV1beta1ProviderConfigUsageProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultUpboundIoV1beta1ProviderConfigUsageResourceRef: + r""" + ResourceReference to the managed resource using the provider config. + + Attributes + ---------- + apiVersion : str, default is Undefined, required + APIVersion of the referenced object. + kind : str, default is Undefined, required + Kind of the referenced object. + name : str, default is Undefined, required + Name of the referenced object. + uid : str, default is Undefined, optional + UID of the referenced object. + """ + + + apiVersion: str + + kind: str + + name: str + + uid?: str + + diff --git a/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_audit.k b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_audit.k new file mode 100644 index 00000000..84297e9f --- /dev/null +++ b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_audit.k @@ -0,0 +1,403 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Audit: + r""" + Audit is the Schema for the Audits API. Writes audit backends for Vault + + Attributes + ---------- + apiVersion : str, default is "vault.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Audit", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : VaultVaultUpboundIoV1alpha1AuditSpec, default is Undefined, required + spec + status : VaultVaultUpboundIoV1alpha1AuditStatus, default is Undefined, optional + status + """ + + + apiVersion: "vault.vault.upbound.io/v1alpha1" = "vault.vault.upbound.io/v1alpha1" + + kind: "Audit" = "Audit" + + metadata?: v1.ObjectMeta + + spec: VaultVaultUpboundIoV1alpha1AuditSpec + + status?: VaultVaultUpboundIoV1alpha1AuditStatus + + +schema VaultVaultUpboundIoV1alpha1AuditSpec: + r""" + AuditSpec defines the desired state of Audit + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : VaultVaultUpboundIoV1alpha1AuditSpecForProvider, default is Undefined, required + for provider + initProvider : VaultVaultUpboundIoV1alpha1AuditSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : VaultVaultUpboundIoV1alpha1AuditSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : VaultVaultUpboundIoV1alpha1AuditSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : VaultVaultUpboundIoV1alpha1AuditSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: VaultVaultUpboundIoV1alpha1AuditSpecForProvider + + initProvider?: VaultVaultUpboundIoV1alpha1AuditSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: VaultVaultUpboundIoV1alpha1AuditSpecProviderConfigRef + + providerRef?: VaultVaultUpboundIoV1alpha1AuditSpecProviderRef + + publishConnectionDetailsTo?: VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: VaultVaultUpboundIoV1alpha1AuditSpecWriteConnectionSecretToRef + + +schema VaultVaultUpboundIoV1alpha1AuditSpecForProvider: + r""" + vault vault upbound io v1alpha1 audit spec for provider + + Attributes + ---------- + description : str, default is Undefined, optional + Human-friendly description of the audit device. Human-friendly description of the audit device. + local : bool, default is Undefined, optional + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Configuration options to pass to the audit device itself. Configuration options to pass to the audit device itself. + path : str, default is Undefined, optional + The path to mount the audit device. This defaults to the type. Path in which to enable the audit device. + $type : str, default is Undefined, optional + Type of the audit device, such as 'file'. Type of the audit device, such as 'file'. + """ + + + description?: str + + local?: bool + + namespace?: str + + options?: {str:str} + + path?: str + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1AuditSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + description : str, default is Undefined, optional + Human-friendly description of the audit device. Human-friendly description of the audit device. + local : bool, default is Undefined, optional + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Configuration options to pass to the audit device itself. Configuration options to pass to the audit device itself. + path : str, default is Undefined, optional + The path to mount the audit device. This defaults to the type. Path in which to enable the audit device. + $type : str, default is Undefined, optional + Type of the audit device, such as 'file'. Type of the audit device, such as 'file'. + """ + + + description?: str + + local?: bool + + namespace?: str + + options?: {str:str} + + path?: str + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1AuditSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1AuditSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1AuditSpecProviderConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1AuditSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1AuditSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1AuditSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1AuditSpecProviderRefPolicy + + +schema VaultVaultUpboundIoV1alpha1AuditSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToConfigRef + + metadata?: VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToMetadata + + name: str + + +schema VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1AuditSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1AuditSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema VaultVaultUpboundIoV1alpha1AuditStatus: + r""" + AuditStatus defines the observed state of Audit. + + Attributes + ---------- + atProvider : VaultVaultUpboundIoV1alpha1AuditStatusAtProvider, default is Undefined, optional + at provider + conditions : [VaultVaultUpboundIoV1alpha1AuditStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: VaultVaultUpboundIoV1alpha1AuditStatusAtProvider + + conditions?: [VaultVaultUpboundIoV1alpha1AuditStatusConditionsItems0] + + +schema VaultVaultUpboundIoV1alpha1AuditStatusAtProvider: + r""" + vault vault upbound io v1alpha1 audit status at provider + + Attributes + ---------- + description : str, default is Undefined, optional + Human-friendly description of the audit device. Human-friendly description of the audit device. + id : str, default is Undefined, optional + id + local : bool, default is Undefined, optional + Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Configuration options to pass to the audit device itself. Configuration options to pass to the audit device itself. + path : str, default is Undefined, optional + The path to mount the audit device. This defaults to the type. Path in which to enable the audit device. + $type : str, default is Undefined, optional + Type of the audit device, such as 'file'. Type of the audit device, such as 'file'. + """ + + + description?: str + + id?: str + + local?: bool + + namespace?: str + + options?: {str:str} + + path?: str + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1AuditStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_mount.k b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_mount.k new file mode 100644 index 00000000..6cec2bcb --- /dev/null +++ b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_mount.k @@ -0,0 +1,491 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Mount: + r""" + Mount is the Schema for the Mounts API. Managing the mounting of secret backends in Vault + + Attributes + ---------- + apiVersion : str, default is "vault.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Mount", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : VaultVaultUpboundIoV1alpha1MountSpec, default is Undefined, required + spec + status : VaultVaultUpboundIoV1alpha1MountStatus, default is Undefined, optional + status + """ + + + apiVersion: "vault.vault.upbound.io/v1alpha1" = "vault.vault.upbound.io/v1alpha1" + + kind: "Mount" = "Mount" + + metadata?: v1.ObjectMeta + + spec: VaultVaultUpboundIoV1alpha1MountSpec + + status?: VaultVaultUpboundIoV1alpha1MountStatus + + +schema VaultVaultUpboundIoV1alpha1MountSpec: + r""" + MountSpec defines the desired state of Mount + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : VaultVaultUpboundIoV1alpha1MountSpecForProvider, default is Undefined, required + for provider + initProvider : VaultVaultUpboundIoV1alpha1MountSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : VaultVaultUpboundIoV1alpha1MountSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : VaultVaultUpboundIoV1alpha1MountSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : VaultVaultUpboundIoV1alpha1MountSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: VaultVaultUpboundIoV1alpha1MountSpecForProvider + + initProvider?: VaultVaultUpboundIoV1alpha1MountSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: VaultVaultUpboundIoV1alpha1MountSpecProviderConfigRef + + providerRef?: VaultVaultUpboundIoV1alpha1MountSpecProviderRef + + publishConnectionDetailsTo?: VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: VaultVaultUpboundIoV1alpha1MountSpecWriteConnectionSecretToRef + + +schema VaultVaultUpboundIoV1alpha1MountSpecForProvider: + r""" + vault vault upbound io v1alpha1 mount spec for provider + + Attributes + ---------- + allowedManagedKeys : [str], default is Undefined, optional + Set of managed key registry entry names that the mount in question is allowed to access List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount Human-friendly description of the mount + externalEntropyAccess : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source Enable the secrets engine to access Vault's external entropy source + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds Maximum possible lease duration for tokens and secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend Specifies mount type specific options that are passed to the backend + path : str, default is Undefined, optional + Where the secret backend will be mounted Where the secret backend will be mounted + sealWrap : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + $type : str, default is Undefined, optional + Type of the backend, such as "aws" Type of the backend, such as 'aws' + """ + + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtlSeconds?: float + + description?: str + + externalEntropyAccess?: bool + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + options?: {str:str} + + path?: str + + sealWrap?: bool + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1MountSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + allowedManagedKeys : [str], default is Undefined, optional + Set of managed key registry entry names that the mount in question is allowed to access List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount Human-friendly description of the mount + externalEntropyAccess : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source Enable the secrets engine to access Vault's external entropy source + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds Maximum possible lease duration for tokens and secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend Specifies mount type specific options that are passed to the backend + path : str, default is Undefined, optional + Where the secret backend will be mounted Where the secret backend will be mounted + sealWrap : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + $type : str, default is Undefined, optional + Type of the backend, such as "aws" Type of the backend, such as 'aws' + """ + + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtlSeconds?: float + + description?: str + + externalEntropyAccess?: bool + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + options?: {str:str} + + path?: str + + sealWrap?: bool + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1MountSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1MountSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1MountSpecProviderConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1MountSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1MountSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1MountSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1MountSpecProviderRefPolicy + + +schema VaultVaultUpboundIoV1alpha1MountSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToConfigRef + + metadata?: VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToMetadata + + name: str + + +schema VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1MountSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1MountSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema VaultVaultUpboundIoV1alpha1MountStatus: + r""" + MountStatus defines the observed state of Mount. + + Attributes + ---------- + atProvider : VaultVaultUpboundIoV1alpha1MountStatusAtProvider, default is Undefined, optional + at provider + conditions : [VaultVaultUpboundIoV1alpha1MountStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: VaultVaultUpboundIoV1alpha1MountStatusAtProvider + + conditions?: [VaultVaultUpboundIoV1alpha1MountStatusConditionsItems0] + + +schema VaultVaultUpboundIoV1alpha1MountStatusAtProvider: + r""" + vault vault upbound io v1alpha1 mount status at provider + + Attributes + ---------- + accessor : str, default is Undefined, optional + The accessor for this mount. Accessor of the mount + allowedManagedKeys : [str], default is Undefined, optional + Set of managed key registry entry names that the mount in question is allowed to access List of managed key registry entry names that the mount in question is allowed to access + auditNonHmacRequestKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. Specifies the list of keys that will not be HMAC'd by audit devices in the request data object. + auditNonHmacResponseKeys : [str], default is Undefined, optional + Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. Specifies the list of keys that will not be HMAC'd by audit devices in the response data object. + defaultLeaseTtlSeconds : float, default is Undefined, optional + Default lease duration for tokens and secrets in seconds Default lease duration for tokens and secrets in seconds + description : str, default is Undefined, optional + Human-friendly description of the mount Human-friendly description of the mount + externalEntropyAccess : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source Enable the secrets engine to access Vault's external entropy source + id : str, default is Undefined, optional + id + local : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enforce local mount in HA environment Local mount flag that can be explicitly set to true to enforce local mount in HA environment + maxLeaseTtlSeconds : float, default is Undefined, optional + Maximum possible lease duration for tokens and secrets in seconds Maximum possible lease duration for tokens and secrets in seconds + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + options : {str:str}, default is Undefined, optional + Specifies mount type specific options that are passed to the backend Specifies mount type specific options that are passed to the backend + path : str, default is Undefined, optional + Where the secret backend will be mounted Where the secret backend will be mounted + sealWrap : bool, default is Undefined, optional + Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability + $type : str, default is Undefined, optional + Type of the backend, such as "aws" Type of the backend, such as 'aws' + """ + + + accessor?: str + + allowedManagedKeys?: [str] + + auditNonHmacRequestKeys?: [str] + + auditNonHmacResponseKeys?: [str] + + defaultLeaseTtlSeconds?: float + + description?: str + + externalEntropyAccess?: bool + + id?: str + + local?: bool + + maxLeaseTtlSeconds?: float + + namespace?: str + + options?: {str:str} + + path?: str + + sealWrap?: bool + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1MountStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_policy.k b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_policy.k new file mode 100644 index 00000000..a5aa30d9 --- /dev/null +++ b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_policy.k @@ -0,0 +1,367 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Policy: + r""" + Policy is the Schema for the Policys API. Writes arbitrary policies for Vault + + Attributes + ---------- + apiVersion : str, default is "vault.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Policy", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : VaultVaultUpboundIoV1alpha1PolicySpec, default is Undefined, required + spec + status : VaultVaultUpboundIoV1alpha1PolicyStatus, default is Undefined, optional + status + """ + + + apiVersion: "vault.vault.upbound.io/v1alpha1" = "vault.vault.upbound.io/v1alpha1" + + kind: "Policy" = "Policy" + + metadata?: v1.ObjectMeta + + spec: VaultVaultUpboundIoV1alpha1PolicySpec + + status?: VaultVaultUpboundIoV1alpha1PolicyStatus + + +schema VaultVaultUpboundIoV1alpha1PolicySpec: + r""" + PolicySpec defines the desired state of Policy + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : VaultVaultUpboundIoV1alpha1PolicySpecForProvider, default is Undefined, required + for provider + initProvider : VaultVaultUpboundIoV1alpha1PolicySpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : VaultVaultUpboundIoV1alpha1PolicySpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : VaultVaultUpboundIoV1alpha1PolicySpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : VaultVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: VaultVaultUpboundIoV1alpha1PolicySpecForProvider + + initProvider?: VaultVaultUpboundIoV1alpha1PolicySpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: VaultVaultUpboundIoV1alpha1PolicySpecProviderConfigRef + + providerRef?: VaultVaultUpboundIoV1alpha1PolicySpecProviderRef + + publishConnectionDetailsTo?: VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: VaultVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef + + +schema VaultVaultUpboundIoV1alpha1PolicySpecForProvider: + r""" + vault vault upbound io v1alpha1 policy spec for provider + + Attributes + ---------- + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a Vault policy The policy document + """ + + + name?: str + + namespace?: str + + policy?: str + + +schema VaultVaultUpboundIoV1alpha1PolicySpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a Vault policy The policy document + """ + + + name?: str + + namespace?: str + + policy?: str + + +schema VaultVaultUpboundIoV1alpha1PolicySpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1PolicySpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1PolicySpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy + + +schema VaultVaultUpboundIoV1alpha1PolicySpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef + + metadata?: VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata + + name: str + + +schema VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1PolicySpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1PolicySpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema VaultVaultUpboundIoV1alpha1PolicyStatus: + r""" + PolicyStatus defines the observed state of Policy. + + Attributes + ---------- + atProvider : VaultVaultUpboundIoV1alpha1PolicyStatusAtProvider, default is Undefined, optional + at provider + conditions : [VaultVaultUpboundIoV1alpha1PolicyStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: VaultVaultUpboundIoV1alpha1PolicyStatusAtProvider + + conditions?: [VaultVaultUpboundIoV1alpha1PolicyStatusConditionsItems0] + + +schema VaultVaultUpboundIoV1alpha1PolicyStatusAtProvider: + r""" + vault vault upbound io v1alpha1 policy status at provider + + Attributes + ---------- + id : str, default is Undefined, optional + id + name : str, default is Undefined, optional + The name of the policy Name of the policy + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + policy : str, default is Undefined, optional + String containing a Vault policy The policy document + """ + + + id?: str + + name?: str + + namespace?: str + + policy?: str + + +schema VaultVaultUpboundIoV1alpha1PolicyStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_token.k b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_token.k new file mode 100644 index 00000000..aa5f0a75 --- /dev/null +++ b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_token.k @@ -0,0 +1,519 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema Token: + r""" + Token is the Schema for the Tokens API. Writes token for Vault + + Attributes + ---------- + apiVersion : str, default is "vault.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "Token", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : VaultVaultUpboundIoV1alpha1TokenSpec, default is Undefined, required + spec + status : VaultVaultUpboundIoV1alpha1TokenStatus, default is Undefined, optional + status + """ + + + apiVersion: "vault.vault.upbound.io/v1alpha1" = "vault.vault.upbound.io/v1alpha1" + + kind: "Token" = "Token" + + metadata?: v1.ObjectMeta + + spec: VaultVaultUpboundIoV1alpha1TokenSpec + + status?: VaultVaultUpboundIoV1alpha1TokenStatus + + +schema VaultVaultUpboundIoV1alpha1TokenSpec: + r""" + TokenSpec defines the desired state of Token + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : VaultVaultUpboundIoV1alpha1TokenSpecForProvider, default is Undefined, required + for provider + initProvider : VaultVaultUpboundIoV1alpha1TokenSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : VaultVaultUpboundIoV1alpha1TokenSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : VaultVaultUpboundIoV1alpha1TokenSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : VaultVaultUpboundIoV1alpha1TokenSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: VaultVaultUpboundIoV1alpha1TokenSpecForProvider + + initProvider?: VaultVaultUpboundIoV1alpha1TokenSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: VaultVaultUpboundIoV1alpha1TokenSpecProviderConfigRef + + providerRef?: VaultVaultUpboundIoV1alpha1TokenSpecProviderRef + + publishConnectionDetailsTo?: VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: VaultVaultUpboundIoV1alpha1TokenSpecWriteConnectionSecretToRef + + +schema VaultVaultUpboundIoV1alpha1TokenSpecForProvider: + r""" + vault vault upbound io v1alpha1 token spec for provider + + Attributes + ---------- + displayName : str, default is Undefined, optional + String containing the token display name The display name of the token. + explicitMaxTtl : str, default is Undefined, optional + The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The explicit max TTL of the token. + metadata : {str:str}, default is Undefined, optional + Metadata to be set on this token Metadata to be associated with the token. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + noDefaultPolicy : bool, default is Undefined, optional + Flag to not attach the default policy to this token Flag to disable the default policy. + noParent : bool, default is Undefined, optional + Flag to create a token without parent Flag to create a token without parent. + numUses : float, default is Undefined, optional + The number of allowed uses of this token The number of allowed uses of the token. + period : str, default is Undefined, optional + The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The period of the token. + policies : [str], default is Undefined, optional + List of policies to attach to this token List of policies. + renewIncrement : float, default is Undefined, optional + The renew increment. This is specified in seconds The renew increment. + renewMinLease : float, default is Undefined, optional + The minimal lease to renew this token The minimum lease to renew token. + renewable : bool, default is Undefined, optional + Flag to allow to renew this token Flag to allow the token to be renewed + roleName : str, default is Undefined, optional + The token role name The token role name. + ttl : str, default is Undefined, optional + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The TTL period of the token. + wrappingTtl : str, default is Undefined, optional + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The TTL period of the wrapped token. + """ + + + displayName?: str + + explicitMaxTtl?: str + + metadata?: {str:str} + + namespace?: str + + noDefaultPolicy?: bool + + noParent?: bool + + numUses?: float + + period?: str + + policies?: [str] + + renewIncrement?: float + + renewMinLease?: float + + renewable?: bool + + roleName?: str + + ttl?: str + + wrappingTtl?: str + + +schema VaultVaultUpboundIoV1alpha1TokenSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + displayName : str, default is Undefined, optional + String containing the token display name The display name of the token. + explicitMaxTtl : str, default is Undefined, optional + The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The explicit max TTL of the token. + metadata : {str:str}, default is Undefined, optional + Metadata to be set on this token Metadata to be associated with the token. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + noDefaultPolicy : bool, default is Undefined, optional + Flag to not attach the default policy to this token Flag to disable the default policy. + noParent : bool, default is Undefined, optional + Flag to create a token without parent Flag to create a token without parent. + numUses : float, default is Undefined, optional + The number of allowed uses of this token The number of allowed uses of the token. + period : str, default is Undefined, optional + The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The period of the token. + policies : [str], default is Undefined, optional + List of policies to attach to this token List of policies. + renewIncrement : float, default is Undefined, optional + The renew increment. This is specified in seconds The renew increment. + renewMinLease : float, default is Undefined, optional + The minimal lease to renew this token The minimum lease to renew token. + renewable : bool, default is Undefined, optional + Flag to allow to renew this token Flag to allow the token to be renewed + roleName : str, default is Undefined, optional + The token role name The token role name. + ttl : str, default is Undefined, optional + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The TTL period of the token. + wrappingTtl : str, default is Undefined, optional + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The TTL period of the wrapped token. + """ + + + displayName?: str + + explicitMaxTtl?: str + + metadata?: {str:str} + + namespace?: str + + noDefaultPolicy?: bool + + noParent?: bool + + numUses?: float + + period?: str + + policies?: [str] + + renewIncrement?: float + + renewMinLease?: float + + renewable?: bool + + roleName?: str + + ttl?: str + + wrappingTtl?: str + + +schema VaultVaultUpboundIoV1alpha1TokenSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1TokenSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1TokenSpecProviderConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1TokenSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1TokenSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1TokenSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1TokenSpecProviderRefPolicy + + +schema VaultVaultUpboundIoV1alpha1TokenSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToConfigRef + + metadata?: VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToMetadata + + name: str + + +schema VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1TokenSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1TokenSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema VaultVaultUpboundIoV1alpha1TokenStatus: + r""" + TokenStatus defines the observed state of Token. + + Attributes + ---------- + atProvider : VaultVaultUpboundIoV1alpha1TokenStatusAtProvider, default is Undefined, optional + at provider + conditions : [VaultVaultUpboundIoV1alpha1TokenStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: VaultVaultUpboundIoV1alpha1TokenStatusAtProvider + + conditions?: [VaultVaultUpboundIoV1alpha1TokenStatusConditionsItems0] + + +schema VaultVaultUpboundIoV1alpha1TokenStatusAtProvider: + r""" + vault vault upbound io v1alpha1 token status at provider + + Attributes + ---------- + displayName : str, default is Undefined, optional + String containing the token display name The display name of the token. + explicitMaxTtl : str, default is Undefined, optional + The explicit max TTL of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The explicit max TTL of the token. + id : str, default is Undefined, optional + id + leaseDuration : float, default is Undefined, optional + String containing the token lease duration if present in state file The token lease duration. + leaseStarted : str, default is Undefined, optional + String containing the token lease started time if present in state file The token lease started on. + metadata : {str:str}, default is Undefined, optional + Metadata to be set on this token Metadata to be associated with the token. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + noDefaultPolicy : bool, default is Undefined, optional + Flag to not attach the default policy to this token Flag to disable the default policy. + noParent : bool, default is Undefined, optional + Flag to create a token without parent Flag to create a token without parent. + numUses : float, default is Undefined, optional + The number of allowed uses of this token The number of allowed uses of the token. + period : str, default is Undefined, optional + The period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The period of the token. + policies : [str], default is Undefined, optional + List of policies to attach to this token List of policies. + renewIncrement : float, default is Undefined, optional + The renew increment. This is specified in seconds The renew increment. + renewMinLease : float, default is Undefined, optional + The minimal lease to renew this token The minimum lease to renew token. + renewable : bool, default is Undefined, optional + Flag to allow to renew this token Flag to allow the token to be renewed + roleName : str, default is Undefined, optional + The token role name The token role name. + ttl : str, default is Undefined, optional + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The TTL period of the token. + wrappingTtl : str, default is Undefined, optional + The TTL period of this token. This is specified as a numeric string with suffix like "30s" ro "5m" The TTL period of the wrapped token. + """ + + + displayName?: str + + explicitMaxTtl?: str + + id?: str + + leaseDuration?: float + + leaseStarted?: str + + metadata?: {str:str} + + namespace?: str + + noDefaultPolicy?: bool + + noParent?: bool + + numUses?: float + + period?: str + + policies?: [str] + + renewIncrement?: float + + renewMinLease?: float + + renewable?: bool + + roleName?: str + + ttl?: str + + wrappingTtl?: str + + +schema VaultVaultUpboundIoV1alpha1TokenStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + + diff --git a/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_vault_namespace.k b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_vault_namespace.k new file mode 100644 index 00000000..fca6c12a --- /dev/null +++ b/crossplane-provider-vault/vault/v1alpha1/vault_vault_upbound_io_v1alpha1_vault_namespace.k @@ -0,0 +1,383 @@ +""" +This file was generated by the KCL auto-gen tool. DO NOT EDIT. +Editing this file might prove futile when you re-run the KCL auto-gen generate command. +""" +import k8s.apimachinery.pkg.apis.meta.v1 + + +schema VaultNamespace: + r""" + VaultNamespace is the Schema for the VaultNamespaces API. Writes namespaces for Vault + + Attributes + ---------- + apiVersion : str, default is "vault.vault.upbound.io/v1alpha1", required + APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind : str, default is "VaultNamespace", required + Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata : v1.ObjectMeta, default is Undefined, optional + metadata + spec : VaultVaultUpboundIoV1alpha1VaultNamespaceSpec, default is Undefined, required + spec + status : VaultVaultUpboundIoV1alpha1VaultNamespaceStatus, default is Undefined, optional + status + """ + + + apiVersion: "vault.vault.upbound.io/v1alpha1" = "vault.vault.upbound.io/v1alpha1" + + kind: "VaultNamespace" = "VaultNamespace" + + metadata?: v1.ObjectMeta + + spec: VaultVaultUpboundIoV1alpha1VaultNamespaceSpec + + status?: VaultVaultUpboundIoV1alpha1VaultNamespaceStatus + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpec: + r""" + VaultNamespaceSpec defines the desired state of VaultNamespace + + Attributes + ---------- + deletionPolicy : str, default is "Delete", optional + DeletionPolicy specifies what will happen to the underlying external when this managed resource is deleted - either "Delete" or "Orphan" the external resource. This field is planned to be deprecated in favor of the ManagementPolicies field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + forProvider : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecForProvider, default is Undefined, required + for provider + initProvider : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecInitProvider, default is Undefined, optional + init provider + managementPolicies : [str], default is ["*"], optional + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + providerConfigRef : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderConfigRef, default is Undefined, optional + provider config ref + providerRef : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderRef, default is Undefined, optional + provider ref + publishConnectionDetailsTo : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsTo, default is Undefined, optional + publish connection details to + writeConnectionSecretToRef : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecWriteConnectionSecretToRef, default is Undefined, optional + write connection secret to ref + """ + + + deletionPolicy?: "Orphan" | "Delete" = "Delete" + + forProvider: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecForProvider + + initProvider?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecInitProvider + + managementPolicies?: [str] = ["*"] + + providerConfigRef?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderConfigRef + + providerRef?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderRef + + publishConnectionDetailsTo?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsTo + + writeConnectionSecretToRef?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecWriteConnectionSecretToRef + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecForProvider: + r""" + vault vault upbound io v1alpha1 vault namespace spec for provider + + Attributes + ---------- + customMetadata : {str:str}, default is Undefined, optional + Custom metadata describing this namespace. Value type is map[string]string. Requires Vault version 1.12+. Custom metadata describing this namespace. Value type is map[string]string. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The path of the namespace. Must not have a trailing /. Namespace path. + pathFq : str, default is Undefined, optional + The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. The path is relative to the provider's namespace argument. The fully qualified namespace path. + """ + + + customMetadata?: {str:str} + + namespace?: str + + path?: str + + pathFq?: str + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecInitProvider: + r""" + THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler. + + Attributes + ---------- + customMetadata : {str:str}, default is Undefined, optional + Custom metadata describing this namespace. Value type is map[string]string. Requires Vault version 1.12+. Custom metadata describing this namespace. Value type is map[string]string. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + path : str, default is Undefined, optional + The path of the namespace. Must not have a trailing /. Namespace path. + pathFq : str, default is Undefined, optional + The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. The path is relative to the provider's namespace argument. The fully qualified namespace path. + """ + + + customMetadata?: {str:str} + + namespace?: str + + path?: str + + pathFq?: str + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderConfigRef: + r""" + ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderRef: + r""" + ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef` + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderRefPolicy + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecProviderRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsTo: + r""" + PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. + + Attributes + ---------- + configRef : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToConfigRef, default is Undefined, optional + config ref + metadata : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToMetadata, default is Undefined, optional + metadata + name : str, default is Undefined, required + Name is the name of the connection secret. + """ + + + configRef?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToConfigRef + + metadata?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToMetadata + + name: str + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToConfigRef: + r""" + SecretStoreConfigRef specifies which secret store config should be used for this ConnectionSecret. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the referenced object. + policy : VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToConfigRefPolicy, default is Undefined, optional + policy + """ + + + name: str + + policy?: VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToConfigRefPolicy + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToConfigRefPolicy: + r""" + Policies for referencing. + + Attributes + ---------- + resolution : str, default is "Required", optional + Resolution specifies whether resolution of this reference is required. The default is 'Required', which means the reconcile will fail if the reference cannot be resolved. 'Optional' means this reference will be a no-op if it cannot be resolved. + resolve : str, default is Undefined, optional + Resolve specifies when this reference should be resolved. The default is 'IfNotPresent', which will attempt to resolve the reference only when the corresponding field is not present. Use 'Always' to resolve the reference on every reconcile. + """ + + + resolution?: "Required" | "Optional" = "Required" + + resolve?: "Always" | "IfNotPresent" + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecPublishConnectionDetailsToMetadata: + r""" + Metadata is the metadata for connection secret. + + Attributes + ---------- + annotations : {str:str}, default is Undefined, optional + Annotations are the annotations to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.annotations". - It is up to Secret Store implementation for others store types. + labels : {str:str}, default is Undefined, optional + Labels are the labels/tags to be added to connection secret. - For Kubernetes secrets, this will be used as "metadata.labels". - It is up to Secret Store implementation for others store types. + $type : str, default is Undefined, optional + Type is the SecretType for the connection secret. - Only valid for Kubernetes Secret Stores. + """ + + + annotations?: {str:str} + + labels?: {str:str} + + $type?: str + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceSpecWriteConnectionSecretToRef: + r""" + WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other. + + Attributes + ---------- + name : str, default is Undefined, required + Name of the secret. + namespace : str, default is Undefined, required + Namespace of the secret. + """ + + + name: str + + namespace: str + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceStatus: + r""" + VaultNamespaceStatus defines the observed state of VaultNamespace. + + Attributes + ---------- + atProvider : VaultVaultUpboundIoV1alpha1VaultNamespaceStatusAtProvider, default is Undefined, optional + at provider + conditions : [VaultVaultUpboundIoV1alpha1VaultNamespaceStatusConditionsItems0], default is Undefined, optional + Conditions of the resource. + """ + + + atProvider?: VaultVaultUpboundIoV1alpha1VaultNamespaceStatusAtProvider + + conditions?: [VaultVaultUpboundIoV1alpha1VaultNamespaceStatusConditionsItems0] + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceStatusAtProvider: + r""" + vault vault upbound io v1alpha1 vault namespace status at provider + + Attributes + ---------- + customMetadata : {str:str}, default is Undefined, optional + Custom metadata describing this namespace. Value type is map[string]string. Requires Vault version 1.12+. Custom metadata describing this namespace. Value type is map[string]string. + id : str, default is Undefined, optional + The fully qualified path to the namespace, including the provider namespace and a trailing slash. + namespace : str, default is Undefined, optional + The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise. Target namespace. (requires Enterprise) + namespaceId : str, default is Undefined, optional + Vault server's internal ID of the namespace. Namespace ID. + path : str, default is Undefined, optional + The path of the namespace. Must not have a trailing /. Namespace path. + pathFq : str, default is Undefined, optional + The fully qualified path to the namespace. Useful when provisioning resources in a child namespace. The path is relative to the provider's namespace argument. The fully qualified namespace path. + """ + + + customMetadata?: {str:str} + + id?: str + + namespace?: str + + namespaceId?: str + + path?: str + + pathFq?: str + + +schema VaultVaultUpboundIoV1alpha1VaultNamespaceStatusConditionsItems0: + r""" + A Condition that may apply to a resource. + + Attributes + ---------- + lastTransitionTime : str, default is Undefined, required + LastTransitionTime is the last time this condition transitioned from one status to another. + message : str, default is Undefined, optional + A Message containing details about this condition's last transition from one status to another, if any. + reason : str, default is Undefined, required + A Reason for this condition's last transition from one status to another. + status : str, default is Undefined, required + Status of this condition; is it currently True, False, or Unknown? + $type : str, default is Undefined, required + Type of this condition. At most one of each condition type may apply to a resource at any point in time. + """ + + + lastTransitionTime: str + + message?: str + + reason: str + + status: str + + $type: str + +