diff --git a/Makefile b/Makefile index 5a2ad95..9209afe 100644 --- a/Makefile +++ b/Makefile @@ -77,6 +77,7 @@ UPTEST_LOCAL_CHANNEL = stable KUSTOMIZE_VERSION = v5.3.0 YQ_VERSION = v4.40.5 CROSSPLANE_VERSION = 1.14.6 +CRDDIFF_VERSION = v0.12.1 export UP_VERSION := $(UP_VERSION) export UP_CHANNEL := $(UP_CHANNEL) @@ -260,7 +261,7 @@ e2e: family-e2e # TODO: please move this to the common build submodule # once the use cases mature -crddiff: $(UPTEST) +crddiff: @$(INFO) Checking breaking CRD schema changes @for crd in $${MODIFIED_CRD_LIST}; do \ if ! git cat-file -e "$${GITHUB_BASE_REF}:$${crd}" 2>/dev/null; then \ @@ -268,7 +269,7 @@ crddiff: $(UPTEST) continue ; \ fi ; \ echo "Checking $${crd} for breaking API changes..." ; \ - changes_detected=$$($(UPTEST) crddiff revision --enable-upjet-extensions <(git cat-file -p "$${GITHUB_BASE_REF}:$${crd}") "$${crd}" 2>&1) ; \ + changes_detected=$$(go run github.com/upbound/uptest/cmd/crddiff@$(CRDDIFF_VERSION) revision --enable-upjet-extensions <(git cat-file -p "$${GITHUB_BASE_REF}:$${crd}") "$${crd}" 2>&1) ; \ if [[ $$? != 0 ]] ; then \ printf "\033[31m"; echo "Breaking change detected!"; printf "\033[0m" ; \ echo "$${changes_detected}" ; \ diff --git a/apis/networksecurity/v1beta1/zz_generated.conversion_hubs.go b/apis/networksecurity/v1beta1/zz_generated.conversion_hubs.go new file mode 100755 index 0000000..b44e241 --- /dev/null +++ b/apis/networksecurity/v1beta1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +// Hub marks this type as a conversion hub. +func (tr *ServerTLSPolicy) Hub() {} diff --git a/apis/networksecurity/v1beta1/zz_generated.deepcopy.go b/apis/networksecurity/v1beta1/zz_generated.deepcopy.go new file mode 100644 index 0000000..ec68235 --- /dev/null +++ b/apis/networksecurity/v1beta1/zz_generated.deepcopy.go @@ -0,0 +1,818 @@ +//go:build !ignore_autogenerated + +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by controller-gen. DO NOT EDIT. + +package v1beta1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CertificateProviderInstanceInitParameters) DeepCopyInto(out *CertificateProviderInstanceInitParameters) { + *out = *in + if in.PluginInstance != nil { + in, out := &in.PluginInstance, &out.PluginInstance + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateProviderInstanceInitParameters. +func (in *CertificateProviderInstanceInitParameters) DeepCopy() *CertificateProviderInstanceInitParameters { + if in == nil { + return nil + } + out := new(CertificateProviderInstanceInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CertificateProviderInstanceObservation) DeepCopyInto(out *CertificateProviderInstanceObservation) { + *out = *in + if in.PluginInstance != nil { + in, out := &in.PluginInstance, &out.PluginInstance + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateProviderInstanceObservation. +func (in *CertificateProviderInstanceObservation) DeepCopy() *CertificateProviderInstanceObservation { + if in == nil { + return nil + } + out := new(CertificateProviderInstanceObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CertificateProviderInstanceParameters) DeepCopyInto(out *CertificateProviderInstanceParameters) { + *out = *in + if in.PluginInstance != nil { + in, out := &in.PluginInstance, &out.PluginInstance + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateProviderInstanceParameters. +func (in *CertificateProviderInstanceParameters) DeepCopy() *CertificateProviderInstanceParameters { + if in == nil { + return nil + } + out := new(CertificateProviderInstanceParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientValidationCAInitParameters) DeepCopyInto(out *ClientValidationCAInitParameters) { + *out = *in + if in.CertificateProviderInstance != nil { + in, out := &in.CertificateProviderInstance, &out.CertificateProviderInstance + *out = new(CertificateProviderInstanceInitParameters) + (*in).DeepCopyInto(*out) + } + if in.GRPCEndpoint != nil { + in, out := &in.GRPCEndpoint, &out.GRPCEndpoint + *out = new(GRPCEndpointInitParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientValidationCAInitParameters. +func (in *ClientValidationCAInitParameters) DeepCopy() *ClientValidationCAInitParameters { + if in == nil { + return nil + } + out := new(ClientValidationCAInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientValidationCAObservation) DeepCopyInto(out *ClientValidationCAObservation) { + *out = *in + if in.CertificateProviderInstance != nil { + in, out := &in.CertificateProviderInstance, &out.CertificateProviderInstance + *out = new(CertificateProviderInstanceObservation) + (*in).DeepCopyInto(*out) + } + if in.GRPCEndpoint != nil { + in, out := &in.GRPCEndpoint, &out.GRPCEndpoint + *out = new(GRPCEndpointObservation) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientValidationCAObservation. +func (in *ClientValidationCAObservation) DeepCopy() *ClientValidationCAObservation { + if in == nil { + return nil + } + out := new(ClientValidationCAObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClientValidationCAParameters) DeepCopyInto(out *ClientValidationCAParameters) { + *out = *in + if in.CertificateProviderInstance != nil { + in, out := &in.CertificateProviderInstance, &out.CertificateProviderInstance + *out = new(CertificateProviderInstanceParameters) + (*in).DeepCopyInto(*out) + } + if in.GRPCEndpoint != nil { + in, out := &in.GRPCEndpoint, &out.GRPCEndpoint + *out = new(GRPCEndpointParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientValidationCAParameters. +func (in *ClientValidationCAParameters) DeepCopy() *ClientValidationCAParameters { + if in == nil { + return nil + } + out := new(ClientValidationCAParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GRPCEndpointInitParameters) DeepCopyInto(out *GRPCEndpointInitParameters) { + *out = *in + if in.TargetURI != nil { + in, out := &in.TargetURI, &out.TargetURI + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCEndpointInitParameters. +func (in *GRPCEndpointInitParameters) DeepCopy() *GRPCEndpointInitParameters { + if in == nil { + return nil + } + out := new(GRPCEndpointInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GRPCEndpointObservation) DeepCopyInto(out *GRPCEndpointObservation) { + *out = *in + if in.TargetURI != nil { + in, out := &in.TargetURI, &out.TargetURI + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCEndpointObservation. +func (in *GRPCEndpointObservation) DeepCopy() *GRPCEndpointObservation { + if in == nil { + return nil + } + out := new(GRPCEndpointObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GRPCEndpointParameters) DeepCopyInto(out *GRPCEndpointParameters) { + *out = *in + if in.TargetURI != nil { + in, out := &in.TargetURI, &out.TargetURI + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCEndpointParameters. +func (in *GRPCEndpointParameters) DeepCopy() *GRPCEndpointParameters { + if in == nil { + return nil + } + out := new(GRPCEndpointParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MtlsPolicyInitParameters) DeepCopyInto(out *MtlsPolicyInitParameters) { + *out = *in + if in.ClientValidationCA != nil { + in, out := &in.ClientValidationCA, &out.ClientValidationCA + *out = make([]ClientValidationCAInitParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ClientValidationMode != nil { + in, out := &in.ClientValidationMode, &out.ClientValidationMode + *out = new(string) + **out = **in + } + if in.ClientValidationTrustConfig != nil { + in, out := &in.ClientValidationTrustConfig, &out.ClientValidationTrustConfig + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MtlsPolicyInitParameters. +func (in *MtlsPolicyInitParameters) DeepCopy() *MtlsPolicyInitParameters { + if in == nil { + return nil + } + out := new(MtlsPolicyInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MtlsPolicyObservation) DeepCopyInto(out *MtlsPolicyObservation) { + *out = *in + if in.ClientValidationCA != nil { + in, out := &in.ClientValidationCA, &out.ClientValidationCA + *out = make([]ClientValidationCAObservation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ClientValidationMode != nil { + in, out := &in.ClientValidationMode, &out.ClientValidationMode + *out = new(string) + **out = **in + } + if in.ClientValidationTrustConfig != nil { + in, out := &in.ClientValidationTrustConfig, &out.ClientValidationTrustConfig + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MtlsPolicyObservation. +func (in *MtlsPolicyObservation) DeepCopy() *MtlsPolicyObservation { + if in == nil { + return nil + } + out := new(MtlsPolicyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MtlsPolicyParameters) DeepCopyInto(out *MtlsPolicyParameters) { + *out = *in + if in.ClientValidationCA != nil { + in, out := &in.ClientValidationCA, &out.ClientValidationCA + *out = make([]ClientValidationCAParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ClientValidationMode != nil { + in, out := &in.ClientValidationMode, &out.ClientValidationMode + *out = new(string) + **out = **in + } + if in.ClientValidationTrustConfig != nil { + in, out := &in.ClientValidationTrustConfig, &out.ClientValidationTrustConfig + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MtlsPolicyParameters. +func (in *MtlsPolicyParameters) DeepCopy() *MtlsPolicyParameters { + if in == nil { + return nil + } + out := new(MtlsPolicyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateCertificateProviderInstanceInitParameters) DeepCopyInto(out *ServerCertificateCertificateProviderInstanceInitParameters) { + *out = *in + if in.PluginInstance != nil { + in, out := &in.PluginInstance, &out.PluginInstance + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateCertificateProviderInstanceInitParameters. +func (in *ServerCertificateCertificateProviderInstanceInitParameters) DeepCopy() *ServerCertificateCertificateProviderInstanceInitParameters { + if in == nil { + return nil + } + out := new(ServerCertificateCertificateProviderInstanceInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateCertificateProviderInstanceObservation) DeepCopyInto(out *ServerCertificateCertificateProviderInstanceObservation) { + *out = *in + if in.PluginInstance != nil { + in, out := &in.PluginInstance, &out.PluginInstance + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateCertificateProviderInstanceObservation. +func (in *ServerCertificateCertificateProviderInstanceObservation) DeepCopy() *ServerCertificateCertificateProviderInstanceObservation { + if in == nil { + return nil + } + out := new(ServerCertificateCertificateProviderInstanceObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateCertificateProviderInstanceParameters) DeepCopyInto(out *ServerCertificateCertificateProviderInstanceParameters) { + *out = *in + if in.PluginInstance != nil { + in, out := &in.PluginInstance, &out.PluginInstance + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateCertificateProviderInstanceParameters. +func (in *ServerCertificateCertificateProviderInstanceParameters) DeepCopy() *ServerCertificateCertificateProviderInstanceParameters { + if in == nil { + return nil + } + out := new(ServerCertificateCertificateProviderInstanceParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateGRPCEndpointInitParameters) DeepCopyInto(out *ServerCertificateGRPCEndpointInitParameters) { + *out = *in + if in.TargetURI != nil { + in, out := &in.TargetURI, &out.TargetURI + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateGRPCEndpointInitParameters. +func (in *ServerCertificateGRPCEndpointInitParameters) DeepCopy() *ServerCertificateGRPCEndpointInitParameters { + if in == nil { + return nil + } + out := new(ServerCertificateGRPCEndpointInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateGRPCEndpointObservation) DeepCopyInto(out *ServerCertificateGRPCEndpointObservation) { + *out = *in + if in.TargetURI != nil { + in, out := &in.TargetURI, &out.TargetURI + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateGRPCEndpointObservation. +func (in *ServerCertificateGRPCEndpointObservation) DeepCopy() *ServerCertificateGRPCEndpointObservation { + if in == nil { + return nil + } + out := new(ServerCertificateGRPCEndpointObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateGRPCEndpointParameters) DeepCopyInto(out *ServerCertificateGRPCEndpointParameters) { + *out = *in + if in.TargetURI != nil { + in, out := &in.TargetURI, &out.TargetURI + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateGRPCEndpointParameters. +func (in *ServerCertificateGRPCEndpointParameters) DeepCopy() *ServerCertificateGRPCEndpointParameters { + if in == nil { + return nil + } + out := new(ServerCertificateGRPCEndpointParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateInitParameters) DeepCopyInto(out *ServerCertificateInitParameters) { + *out = *in + if in.CertificateProviderInstance != nil { + in, out := &in.CertificateProviderInstance, &out.CertificateProviderInstance + *out = new(ServerCertificateCertificateProviderInstanceInitParameters) + (*in).DeepCopyInto(*out) + } + if in.GRPCEndpoint != nil { + in, out := &in.GRPCEndpoint, &out.GRPCEndpoint + *out = new(ServerCertificateGRPCEndpointInitParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateInitParameters. +func (in *ServerCertificateInitParameters) DeepCopy() *ServerCertificateInitParameters { + if in == nil { + return nil + } + out := new(ServerCertificateInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateObservation) DeepCopyInto(out *ServerCertificateObservation) { + *out = *in + if in.CertificateProviderInstance != nil { + in, out := &in.CertificateProviderInstance, &out.CertificateProviderInstance + *out = new(ServerCertificateCertificateProviderInstanceObservation) + (*in).DeepCopyInto(*out) + } + if in.GRPCEndpoint != nil { + in, out := &in.GRPCEndpoint, &out.GRPCEndpoint + *out = new(ServerCertificateGRPCEndpointObservation) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateObservation. +func (in *ServerCertificateObservation) DeepCopy() *ServerCertificateObservation { + if in == nil { + return nil + } + out := new(ServerCertificateObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerCertificateParameters) DeepCopyInto(out *ServerCertificateParameters) { + *out = *in + if in.CertificateProviderInstance != nil { + in, out := &in.CertificateProviderInstance, &out.CertificateProviderInstance + *out = new(ServerCertificateCertificateProviderInstanceParameters) + (*in).DeepCopyInto(*out) + } + if in.GRPCEndpoint != nil { + in, out := &in.GRPCEndpoint, &out.GRPCEndpoint + *out = new(ServerCertificateGRPCEndpointParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerCertificateParameters. +func (in *ServerCertificateParameters) DeepCopy() *ServerCertificateParameters { + if in == nil { + return nil + } + out := new(ServerCertificateParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerTLSPolicy) DeepCopyInto(out *ServerTLSPolicy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSPolicy. +func (in *ServerTLSPolicy) DeepCopy() *ServerTLSPolicy { + if in == nil { + return nil + } + out := new(ServerTLSPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServerTLSPolicy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerTLSPolicyInitParameters) DeepCopyInto(out *ServerTLSPolicyInitParameters) { + *out = *in + if in.AllowOpen != nil { + in, out := &in.AllowOpen, &out.AllowOpen + *out = new(bool) + **out = **in + } + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.MtlsPolicy != nil { + in, out := &in.MtlsPolicy, &out.MtlsPolicy + *out = new(MtlsPolicyInitParameters) + (*in).DeepCopyInto(*out) + } + if in.Project != nil { + in, out := &in.Project, &out.Project + *out = new(string) + **out = **in + } + if in.ServerCertificate != nil { + in, out := &in.ServerCertificate, &out.ServerCertificate + *out = new(ServerCertificateInitParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSPolicyInitParameters. +func (in *ServerTLSPolicyInitParameters) DeepCopy() *ServerTLSPolicyInitParameters { + if in == nil { + return nil + } + out := new(ServerTLSPolicyInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerTLSPolicyList) DeepCopyInto(out *ServerTLSPolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ServerTLSPolicy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSPolicyList. +func (in *ServerTLSPolicyList) DeepCopy() *ServerTLSPolicyList { + if in == nil { + return nil + } + out := new(ServerTLSPolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ServerTLSPolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerTLSPolicyObservation) DeepCopyInto(out *ServerTLSPolicyObservation) { + *out = *in + if in.AllowOpen != nil { + in, out := &in.AllowOpen, &out.AllowOpen + *out = new(bool) + **out = **in + } + if in.CreateTime != nil { + in, out := &in.CreateTime, &out.CreateTime + *out = new(string) + **out = **in + } + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.EffectiveLabels != nil { + in, out := &in.EffectiveLabels, &out.EffectiveLabels + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.Location != nil { + in, out := &in.Location, &out.Location + *out = new(string) + **out = **in + } + if in.MtlsPolicy != nil { + in, out := &in.MtlsPolicy, &out.MtlsPolicy + *out = new(MtlsPolicyObservation) + (*in).DeepCopyInto(*out) + } + if in.Project != nil { + in, out := &in.Project, &out.Project + *out = new(string) + **out = **in + } + if in.ServerCertificate != nil { + in, out := &in.ServerCertificate, &out.ServerCertificate + *out = new(ServerCertificateObservation) + (*in).DeepCopyInto(*out) + } + if in.TerraformLabels != nil { + in, out := &in.TerraformLabels, &out.TerraformLabels + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.UpdateTime != nil { + in, out := &in.UpdateTime, &out.UpdateTime + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSPolicyObservation. +func (in *ServerTLSPolicyObservation) DeepCopy() *ServerTLSPolicyObservation { + if in == nil { + return nil + } + out := new(ServerTLSPolicyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerTLSPolicyParameters) DeepCopyInto(out *ServerTLSPolicyParameters) { + *out = *in + if in.AllowOpen != nil { + in, out := &in.AllowOpen, &out.AllowOpen + *out = new(bool) + **out = **in + } + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make(map[string]*string, len(*in)) + for key, val := range *in { + var outVal *string + if val == nil { + (*out)[key] = nil + } else { + inVal := (*in)[key] + in, out := &inVal, &outVal + *out = new(string) + **out = **in + } + (*out)[key] = outVal + } + } + if in.Location != nil { + in, out := &in.Location, &out.Location + *out = new(string) + **out = **in + } + if in.MtlsPolicy != nil { + in, out := &in.MtlsPolicy, &out.MtlsPolicy + *out = new(MtlsPolicyParameters) + (*in).DeepCopyInto(*out) + } + if in.Project != nil { + in, out := &in.Project, &out.Project + *out = new(string) + **out = **in + } + if in.ServerCertificate != nil { + in, out := &in.ServerCertificate, &out.ServerCertificate + *out = new(ServerCertificateParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSPolicyParameters. +func (in *ServerTLSPolicyParameters) DeepCopy() *ServerTLSPolicyParameters { + if in == nil { + return nil + } + out := new(ServerTLSPolicyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerTLSPolicySpec) DeepCopyInto(out *ServerTLSPolicySpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) + in.InitProvider.DeepCopyInto(&out.InitProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSPolicySpec. +func (in *ServerTLSPolicySpec) DeepCopy() *ServerTLSPolicySpec { + if in == nil { + return nil + } + out := new(ServerTLSPolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServerTLSPolicyStatus) DeepCopyInto(out *ServerTLSPolicyStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSPolicyStatus. +func (in *ServerTLSPolicyStatus) DeepCopy() *ServerTLSPolicyStatus { + if in == nil { + return nil + } + out := new(ServerTLSPolicyStatus) + in.DeepCopyInto(out) + return out +} diff --git a/apis/networksecurity/v1beta1/zz_generated.managed.go b/apis/networksecurity/v1beta1/zz_generated.managed.go new file mode 100644 index 0000000..676a437 --- /dev/null +++ b/apis/networksecurity/v1beta1/zz_generated.managed.go @@ -0,0 +1,68 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 +// Code generated by angryjet. DO NOT EDIT. + +package v1beta1 + +import xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + +// GetCondition of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetPublishConnectionDetailsTo of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetPublishConnectionDetailsTo of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this ServerTLSPolicy. +func (mg *ServerTLSPolicy) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/networksecurity/v1beta1/zz_generated.managedlist.go b/apis/networksecurity/v1beta1/zz_generated.managedlist.go new file mode 100644 index 0000000..b1705eb --- /dev/null +++ b/apis/networksecurity/v1beta1/zz_generated.managedlist.go @@ -0,0 +1,17 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 +// Code generated by angryjet. DO NOT EDIT. + +package v1beta1 + +import resource "github.com/crossplane/crossplane-runtime/pkg/resource" + +// GetItems of this ServerTLSPolicyList. +func (l *ServerTLSPolicyList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/apis/networksecurity/v1beta1/zz_groupversion_info.go b/apis/networksecurity/v1beta1/zz_groupversion_info.go new file mode 100755 index 0000000..75b7f32 --- /dev/null +++ b/apis/networksecurity/v1beta1/zz_groupversion_info.go @@ -0,0 +1,32 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +// +kubebuilder:object:generate=true +// +groupName=networksecurity.gcp-beta.upbound.io +// +versionName=v1beta1 +package v1beta1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + CRDGroup = "networksecurity.gcp-beta.upbound.io" + CRDVersion = "v1beta1" +) + +var ( + // CRDGroupVersion is the API Group Version used to register the objects + CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/apis/networksecurity/v1beta1/zz_servertlspolicy_terraformed.go b/apis/networksecurity/v1beta1/zz_servertlspolicy_terraformed.go new file mode 100755 index 0000000..083144c --- /dev/null +++ b/apis/networksecurity/v1beta1/zz_servertlspolicy_terraformed.go @@ -0,0 +1,129 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this ServerTLSPolicy +func (mg *ServerTLSPolicy) GetTerraformResourceType() string { + return "google_network_security_server_tls_policy" +} + +// GetConnectionDetailsMapping for this ServerTLSPolicy +func (tr *ServerTLSPolicy) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this ServerTLSPolicy +func (tr *ServerTLSPolicy) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this ServerTLSPolicy +func (tr *ServerTLSPolicy) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this ServerTLSPolicy +func (tr *ServerTLSPolicy) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this ServerTLSPolicy +func (tr *ServerTLSPolicy) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this ServerTLSPolicy +func (tr *ServerTLSPolicy) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this ServerTLSPolicy +func (tr *ServerTLSPolicy) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this ServerTLSPolicy +func (tr *ServerTLSPolicy) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this ServerTLSPolicy using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *ServerTLSPolicy) LateInitialize(attrs []byte) (bool, error) { + params := &ServerTLSPolicyParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *ServerTLSPolicy) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/networksecurity/v1beta1/zz_servertlspolicy_types.go b/apis/networksecurity/v1beta1/zz_servertlspolicy_types.go new file mode 100755 index 0000000..c3f1074 --- /dev/null +++ b/apis/networksecurity/v1beta1/zz_servertlspolicy_types.go @@ -0,0 +1,406 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type CertificateProviderInstanceInitParameters struct { + + // Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance. + PluginInstance *string `json:"pluginInstance,omitempty" tf:"plugin_instance,omitempty"` +} + +type CertificateProviderInstanceObservation struct { + + // Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance. + PluginInstance *string `json:"pluginInstance,omitempty" tf:"plugin_instance,omitempty"` +} + +type CertificateProviderInstanceParameters struct { + + // Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance. + // +kubebuilder:validation:Optional + PluginInstance *string `json:"pluginInstance" tf:"plugin_instance,omitempty"` +} + +type ClientValidationCAInitParameters struct { + + // Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + // Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + // Structure is documented below. + CertificateProviderInstance *CertificateProviderInstanceInitParameters `json:"certificateProviderInstance,omitempty" tf:"certificate_provider_instance,omitempty"` + + // gRPC specific configuration to access the gRPC server to obtain the cert and private key. + // Structure is documented below. + GRPCEndpoint *GRPCEndpointInitParameters `json:"grpcEndpoint,omitempty" tf:"grpc_endpoint,omitempty"` +} + +type ClientValidationCAObservation struct { + + // Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + // Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + // Structure is documented below. + CertificateProviderInstance *CertificateProviderInstanceObservation `json:"certificateProviderInstance,omitempty" tf:"certificate_provider_instance,omitempty"` + + // gRPC specific configuration to access the gRPC server to obtain the cert and private key. + // Structure is documented below. + GRPCEndpoint *GRPCEndpointObservation `json:"grpcEndpoint,omitempty" tf:"grpc_endpoint,omitempty"` +} + +type ClientValidationCAParameters struct { + + // Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + // Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + // Structure is documented below. + // +kubebuilder:validation:Optional + CertificateProviderInstance *CertificateProviderInstanceParameters `json:"certificateProviderInstance,omitempty" tf:"certificate_provider_instance,omitempty"` + + // gRPC specific configuration to access the gRPC server to obtain the cert and private key. + // Structure is documented below. + // +kubebuilder:validation:Optional + GRPCEndpoint *GRPCEndpointParameters `json:"grpcEndpoint,omitempty" tf:"grpc_endpoint,omitempty"` +} + +type GRPCEndpointInitParameters struct { + + // The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:". + TargetURI *string `json:"targetUri,omitempty" tf:"target_uri,omitempty"` +} + +type GRPCEndpointObservation struct { + + // The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:". + TargetURI *string `json:"targetUri,omitempty" tf:"target_uri,omitempty"` +} + +type GRPCEndpointParameters struct { + + // The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:". + // +kubebuilder:validation:Optional + TargetURI *string `json:"targetUri" tf:"target_uri,omitempty"` +} + +type MtlsPolicyInitParameters struct { + + // Required if the policy is to be used with Traffic Director. For external HTTPS load balancers it must be empty. + // Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate. + // Structure is documented below. + ClientValidationCA []ClientValidationCAInitParameters `json:"clientValidationCa,omitempty" tf:"client_validation_ca,omitempty"` + + // When the client presents an invalid certificate or no certificate to the load balancer, the clientValidationMode specifies how the client connection is handled. + // Required if the policy is to be used with the external HTTPS load balancing. For Traffic Director it must be empty. + // Possible values are: CLIENT_VALIDATION_MODE_UNSPECIFIED, ALLOW_INVALID_OR_MISSING_CLIENT_CERT, REJECT_INVALID. + ClientValidationMode *string `json:"clientValidationMode,omitempty" tf:"client_validation_mode,omitempty"` + + // Reference to the TrustConfig from certificatemanager.googleapis.com namespace. + // If specified, the chain validation will be performed against certificates configured in the given TrustConfig. + // Allowed only if the policy is to be used with external HTTPS load balancers. + ClientValidationTrustConfig *string `json:"clientValidationTrustConfig,omitempty" tf:"client_validation_trust_config,omitempty"` +} + +type MtlsPolicyObservation struct { + + // Required if the policy is to be used with Traffic Director. For external HTTPS load balancers it must be empty. + // Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate. + // Structure is documented below. + ClientValidationCA []ClientValidationCAObservation `json:"clientValidationCa,omitempty" tf:"client_validation_ca,omitempty"` + + // When the client presents an invalid certificate or no certificate to the load balancer, the clientValidationMode specifies how the client connection is handled. + // Required if the policy is to be used with the external HTTPS load balancing. For Traffic Director it must be empty. + // Possible values are: CLIENT_VALIDATION_MODE_UNSPECIFIED, ALLOW_INVALID_OR_MISSING_CLIENT_CERT, REJECT_INVALID. + ClientValidationMode *string `json:"clientValidationMode,omitempty" tf:"client_validation_mode,omitempty"` + + // Reference to the TrustConfig from certificatemanager.googleapis.com namespace. + // If specified, the chain validation will be performed against certificates configured in the given TrustConfig. + // Allowed only if the policy is to be used with external HTTPS load balancers. + ClientValidationTrustConfig *string `json:"clientValidationTrustConfig,omitempty" tf:"client_validation_trust_config,omitempty"` +} + +type MtlsPolicyParameters struct { + + // Required if the policy is to be used with Traffic Director. For external HTTPS load balancers it must be empty. + // Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate. + // Structure is documented below. + // +kubebuilder:validation:Optional + ClientValidationCA []ClientValidationCAParameters `json:"clientValidationCa,omitempty" tf:"client_validation_ca,omitempty"` + + // When the client presents an invalid certificate or no certificate to the load balancer, the clientValidationMode specifies how the client connection is handled. + // Required if the policy is to be used with the external HTTPS load balancing. For Traffic Director it must be empty. + // Possible values are: CLIENT_VALIDATION_MODE_UNSPECIFIED, ALLOW_INVALID_OR_MISSING_CLIENT_CERT, REJECT_INVALID. + // +kubebuilder:validation:Optional + ClientValidationMode *string `json:"clientValidationMode,omitempty" tf:"client_validation_mode,omitempty"` + + // Reference to the TrustConfig from certificatemanager.googleapis.com namespace. + // If specified, the chain validation will be performed against certificates configured in the given TrustConfig. + // Allowed only if the policy is to be used with external HTTPS load balancers. + // +kubebuilder:validation:Optional + ClientValidationTrustConfig *string `json:"clientValidationTrustConfig,omitempty" tf:"client_validation_trust_config,omitempty"` +} + +type ServerCertificateCertificateProviderInstanceInitParameters struct { + + // Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance. + PluginInstance *string `json:"pluginInstance,omitempty" tf:"plugin_instance,omitempty"` +} + +type ServerCertificateCertificateProviderInstanceObservation struct { + + // Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance. + PluginInstance *string `json:"pluginInstance,omitempty" tf:"plugin_instance,omitempty"` +} + +type ServerCertificateCertificateProviderInstanceParameters struct { + + // Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance. + // +kubebuilder:validation:Optional + PluginInstance *string `json:"pluginInstance" tf:"plugin_instance,omitempty"` +} + +type ServerCertificateGRPCEndpointInitParameters struct { + + // The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:". + TargetURI *string `json:"targetUri,omitempty" tf:"target_uri,omitempty"` +} + +type ServerCertificateGRPCEndpointObservation struct { + + // The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:". + TargetURI *string `json:"targetUri,omitempty" tf:"target_uri,omitempty"` +} + +type ServerCertificateGRPCEndpointParameters struct { + + // The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:". + // +kubebuilder:validation:Optional + TargetURI *string `json:"targetUri" tf:"target_uri,omitempty"` +} + +type ServerCertificateInitParameters struct { + + // Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + // Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + // Structure is documented below. + CertificateProviderInstance *ServerCertificateCertificateProviderInstanceInitParameters `json:"certificateProviderInstance,omitempty" tf:"certificate_provider_instance,omitempty"` + + // gRPC specific configuration to access the gRPC server to obtain the cert and private key. + // Structure is documented below. + GRPCEndpoint *ServerCertificateGRPCEndpointInitParameters `json:"grpcEndpoint,omitempty" tf:"grpc_endpoint,omitempty"` +} + +type ServerCertificateObservation struct { + + // Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + // Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + // Structure is documented below. + CertificateProviderInstance *ServerCertificateCertificateProviderInstanceObservation `json:"certificateProviderInstance,omitempty" tf:"certificate_provider_instance,omitempty"` + + // gRPC specific configuration to access the gRPC server to obtain the cert and private key. + // Structure is documented below. + GRPCEndpoint *ServerCertificateGRPCEndpointObservation `json:"grpcEndpoint,omitempty" tf:"grpc_endpoint,omitempty"` +} + +type ServerCertificateParameters struct { + + // Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + // Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + // Structure is documented below. + // +kubebuilder:validation:Optional + CertificateProviderInstance *ServerCertificateCertificateProviderInstanceParameters `json:"certificateProviderInstance,omitempty" tf:"certificate_provider_instance,omitempty"` + + // gRPC specific configuration to access the gRPC server to obtain the cert and private key. + // Structure is documented below. + // +kubebuilder:validation:Optional + GRPCEndpoint *ServerCertificateGRPCEndpointParameters `json:"grpcEndpoint,omitempty" tf:"grpc_endpoint,omitempty"` +} + +type ServerTLSPolicyInitParameters struct { + + // This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. + // Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. + // Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. + AllowOpen *bool `json:"allowOpen,omitempty" tf:"allow_open,omitempty"` + + // A free-text description of the resource. Max length 1024 characters. + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Set of label tags associated with the ServerTlsPolicy resource. + // Note: This field is non-authoritative, and will only manage the labels present in your configuration. + // Please refer to the field effective_labels for all of the labels present on the resource. + // +mapType=granular + Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"` + + // This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. + // Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. + // Structure is documented below. + MtlsPolicy *MtlsPolicyInitParameters `json:"mtlsPolicy,omitempty" tf:"mtls_policy,omitempty"` + + // The ID of the project in which the resource belongs. + // If it is not provided, the provider project is used. + Project *string `json:"project,omitempty" tf:"project,omitempty"` + + // Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. + // Structure is documented below. + ServerCertificate *ServerCertificateInitParameters `json:"serverCertificate,omitempty" tf:"server_certificate,omitempty"` +} + +type ServerTLSPolicyObservation struct { + + // This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. + // Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. + // Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. + AllowOpen *bool `json:"allowOpen,omitempty" tf:"allow_open,omitempty"` + + // Time the ServerTlsPolicy was created in UTC. + CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"` + + // A free-text description of the resource. Max length 1024 characters. + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // +mapType=granular + EffectiveLabels map[string]*string `json:"effectiveLabels,omitempty" tf:"effective_labels,omitempty"` + + // an identifier for the resource with format projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}} + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // Set of label tags associated with the ServerTlsPolicy resource. + // Note: This field is non-authoritative, and will only manage the labels present in your configuration. + // Please refer to the field effective_labels for all of the labels present on the resource. + // +mapType=granular + Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"` + + // The location of the server tls policy. + // The default value is global. + Location *string `json:"location,omitempty" tf:"location,omitempty"` + + // This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. + // Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. + // Structure is documented below. + MtlsPolicy *MtlsPolicyObservation `json:"mtlsPolicy,omitempty" tf:"mtls_policy,omitempty"` + + // The ID of the project in which the resource belongs. + // If it is not provided, the provider project is used. + Project *string `json:"project,omitempty" tf:"project,omitempty"` + + // Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. + // Structure is documented below. + ServerCertificate *ServerCertificateObservation `json:"serverCertificate,omitempty" tf:"server_certificate,omitempty"` + + // The combination of labels configured directly on the resource + // and default labels configured on the provider. + // +mapType=granular + TerraformLabels map[string]*string `json:"terraformLabels,omitempty" tf:"terraform_labels,omitempty"` + + // Time the ServerTlsPolicy was updated in UTC. + UpdateTime *string `json:"updateTime,omitempty" tf:"update_time,omitempty"` +} + +type ServerTLSPolicyParameters struct { + + // This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. + // Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. + // Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. + // +kubebuilder:validation:Optional + AllowOpen *bool `json:"allowOpen,omitempty" tf:"allow_open,omitempty"` + + // A free-text description of the resource. Max length 1024 characters. + // +kubebuilder:validation:Optional + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Set of label tags associated with the ServerTlsPolicy resource. + // Note: This field is non-authoritative, and will only manage the labels present in your configuration. + // Please refer to the field effective_labels for all of the labels present on the resource. + // +kubebuilder:validation:Optional + // +mapType=granular + Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"` + + // The location of the server tls policy. + // The default value is global. + // +kubebuilder:validation:Required + Location *string `json:"location" tf:"location,omitempty"` + + // This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. + // Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. + // Structure is documented below. + // +kubebuilder:validation:Optional + MtlsPolicy *MtlsPolicyParameters `json:"mtlsPolicy,omitempty" tf:"mtls_policy,omitempty"` + + // The ID of the project in which the resource belongs. + // If it is not provided, the provider project is used. + // +kubebuilder:validation:Optional + Project *string `json:"project,omitempty" tf:"project,omitempty"` + + // Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. + // Structure is documented below. + // +kubebuilder:validation:Optional + ServerCertificate *ServerCertificateParameters `json:"serverCertificate,omitempty" tf:"server_certificate,omitempty"` +} + +// ServerTLSPolicySpec defines the desired state of ServerTLSPolicy +type ServerTLSPolicySpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider ServerTLSPolicyParameters `json:"forProvider"` + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. + // InitProvider holds the same fields as ForProvider, with the exception + // of Identifier and other resource reference fields. The fields that are + // in InitProvider are merged into ForProvider when the resource is created. + // The same fields are also added to the terraform ignore_changes hook, to + // avoid updating them after creation. This is useful for fields that are + // required on creation, but we do not desire to update them after creation, + // for example because of an external controller is managing them, like an + // autoscaler. + InitProvider ServerTLSPolicyInitParameters `json:"initProvider,omitempty"` +} + +// ServerTLSPolicyStatus defines the observed state of ServerTLSPolicy. +type ServerTLSPolicyStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider ServerTLSPolicyObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// ServerTLSPolicy is the Schema for the ServerTLSPolicys API. ClientTlsPolicy is a resource that specifies how a client should authenticate connections to backends of a service. +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,gcp-beta} +type ServerTLSPolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec ServerTLSPolicySpec `json:"spec"` + Status ServerTLSPolicyStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// ServerTLSPolicyList contains a list of ServerTLSPolicys +type ServerTLSPolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ServerTLSPolicy `json:"items"` +} + +// Repository type metadata. +var ( + ServerTLSPolicy_Kind = "ServerTLSPolicy" + ServerTLSPolicy_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: ServerTLSPolicy_Kind}.String() + ServerTLSPolicy_KindAPIVersion = ServerTLSPolicy_Kind + "." + CRDGroupVersion.String() + ServerTLSPolicy_GroupVersionKind = CRDGroupVersion.WithKind(ServerTLSPolicy_Kind) +) + +func init() { + SchemeBuilder.Register(&ServerTLSPolicy{}, &ServerTLSPolicyList{}) +} diff --git a/apis/zz_register.go b/apis/zz_register.go index 2c2f4a3..893ac15 100755 --- a/apis/zz_register.go +++ b/apis/zz_register.go @@ -13,6 +13,7 @@ import ( v1beta1 "github.com/upbound/provider-gcp-beta/apis/cloudplatform/v1beta1" v1beta1container "github.com/upbound/provider-gcp-beta/apis/container/v1beta1" v1beta2 "github.com/upbound/provider-gcp-beta/apis/container/v1beta2" + v1beta1networksecurity "github.com/upbound/provider-gcp-beta/apis/networksecurity/v1beta1" v1alpha1 "github.com/upbound/provider-gcp-beta/apis/v1alpha1" v1beta1apis "github.com/upbound/provider-gcp-beta/apis/v1beta1" ) @@ -23,6 +24,7 @@ func init() { v1beta1.SchemeBuilder.AddToScheme, v1beta1container.SchemeBuilder.AddToScheme, v1beta2.SchemeBuilder.AddToScheme, + v1beta1networksecurity.SchemeBuilder.AddToScheme, v1alpha1.SchemeBuilder.AddToScheme, v1beta1apis.SchemeBuilder.AddToScheme, ) diff --git a/cmd/provider/networksecurity/zz_main.go b/cmd/provider/networksecurity/zz_main.go new file mode 100644 index 0000000..b1e5325 --- /dev/null +++ b/cmd/provider/networksecurity/zz_main.go @@ -0,0 +1,221 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +package main + +import ( + "context" + "fmt" + "io" + "log" + "os" + "path/filepath" + "time" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/certificates" + xpcontroller "github.com/crossplane/crossplane-runtime/pkg/controller" + "github.com/crossplane/crossplane-runtime/pkg/feature" + "github.com/crossplane/crossplane-runtime/pkg/logging" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/conversion" + "gopkg.in/alecthomas/kingpin.v2" + kerrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" + "k8s.io/client-go/tools/leaderelection/resourcelock" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/cache" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics" + "sigs.k8s.io/controller-runtime/pkg/webhook" + + "github.com/upbound/provider-gcp-beta/apis" + "github.com/upbound/provider-gcp-beta/apis/v1alpha1" + "github.com/upbound/provider-gcp-beta/config" + resolverapis "github.com/upbound/provider-gcp-beta/internal/apis" + "github.com/upbound/provider-gcp-beta/internal/clients" + "github.com/upbound/provider-gcp-beta/internal/controller" + "github.com/upbound/provider-gcp-beta/internal/features" +) + +const ( + webhookTLSCertDirEnvVar = "WEBHOOK_TLS_CERT_DIR" + tlsServerCertDirEnvVar = "TLS_SERVER_CERTS_DIR" + certsDirEnvVar = "CERTS_DIR" + tlsServerCertDir = "/tls/server" +) + +func deprecationAction(flagName string) kingpin.Action { + return func(c *kingpin.ParseContext) error { + _, err := fmt.Fprintf(os.Stderr, "warning: Command-line flag %q is deprecated and no longer used. It will be removed in a future release. Please remove it from all of your configurations (ControllerConfigs, etc.).\n", flagName) + kingpin.FatalIfError(err, "Failed to print the deprecation notice.") + return nil + } +} + +func main() { + var ( + app = kingpin.New(filepath.Base(os.Args[0]), "Terraform based Crossplane provider for GCP").DefaultEnvars() + debug = app.Flag("debug", "Run with debug logging.").Short('d').Bool() + syncInterval = app.Flag("sync", "Sync interval controls how often all resources will be double checked for drift.").Short('s').Default("1h").Duration() + pollInterval = app.Flag("poll", "Poll interval controls how often an individual resource should be checked for drift.").Default("10m").Duration() + pollStateMetricInterval = app.Flag("poll-state-metric", "State metric recording interval").Default("5s").Duration() + leaderElection = app.Flag("leader-election", "Use leader election for the controller manager.").Short('l').Default("false").OverrideDefaultFromEnvar("LEADER_ELECTION").Bool() + maxReconcileRate = app.Flag("max-reconcile-rate", "The global maximum rate per second at which resources may checked for drift from the desired state.").Default("100").Int() + + namespace = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("crossplane-system").Envar("POD_NAMESPACE").String() + essTLSCertsPath = app.Flag("ess-tls-cert-dir", "Path of ESS TLS certificates.").Envar("ESS_TLS_CERTS_DIR").String() + enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool() + enableManagementPolicies = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("true").Envar("ENABLE_MANAGEMENT_POLICIES").Bool() + + certsDirSet = false + // we record whether the command-line option "--certs-dir" was supplied + // in the registered PreAction for the flag. + certsDir = app.Flag("certs-dir", "The directory that contains the server key and certificate.").Default(tlsServerCertDir).Envar(certsDirEnvVar).PreAction(func(_ *kingpin.ParseContext) error { + certsDirSet = true + return nil + }).String() + + // now deprecated command-line arguments with the Terraform SDK-based upjet architecture + _ = app.Flag("provider-ttl", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] TTL for the native plugin processes before they are replaced. Changing the default may increase memory consumption.").Hidden().Action(deprecationAction("provider-ttl")).Int() + _ = app.Flag("terraform-version", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform version.").Envar("TERRAFORM_VERSION").Hidden().Action(deprecationAction("terraform-version")).String() + _ = app.Flag("terraform-provider-version", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform provider version.").Envar("TERRAFORM_PROVIDER_VERSION").Hidden().Action(deprecationAction("terraform-provider-version")).String() + _ = app.Flag("terraform-native-provider-path", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform native provider path for shared execution.").Envar("TERRAFORM_NATIVE_PROVIDER_PATH").Hidden().Action(deprecationAction("terraform-native-provider-path")).String() + _ = app.Flag("terraform-provider-source", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform provider source.").Envar("TERRAFORM_PROVIDER_SOURCE").Hidden().Action(deprecationAction("terraform-provider-source")).String() + ) + + kingpin.MustParse(app.Parse(os.Args[1:])) + log.Default().SetOutput(io.Discard) + ctrl.SetLogger(zap.New(zap.WriteTo(io.Discard))) + + zl := zap.New(zap.UseDevMode(*debug)) + logr := logging.NewLogrLogger(zl.WithName("provider-upjet-gcp-beta")) + if *debug { + // The controller-runtime runs with a no-op logger by default. It is + // *very* verbose even at info level, so we only provide it a real + // logger when we're running in debug mode. + ctrl.SetLogger(zl) + } + + // currently, we configure the jitter to be the 5% of the poll interval + pollJitter := time.Duration(float64(*pollInterval) * 0.05) + logr.Debug("Starting", "sync-interval", syncInterval.String(), + "poll-interval", pollInterval.String(), "poll-jitter", pollJitter, "max-reconcile-rate", *maxReconcileRate) + + cfg, err := ctrl.GetConfig() + kingpin.FatalIfError(err, "Cannot get API server rest config") + + // Get the TLS certs directory from the environment variables set by + // Crossplane if they're available. + // In older XP versions we used WEBHOOK_TLS_CERT_DIR, in newer versions + // we use TLS_SERVER_CERTS_DIR. If an explicit certs dir is not supplied + // via the command-line options, then these environment variables are used + // instead. + if !certsDirSet { + // backwards-compatibility concerns + xpCertsDir := os.Getenv(certsDirEnvVar) + if xpCertsDir == "" { + xpCertsDir = os.Getenv(tlsServerCertDirEnvVar) + } + if xpCertsDir == "" { + xpCertsDir = os.Getenv(webhookTLSCertDirEnvVar) + } + // we probably don't need this condition but just to be on the + // safe side, if we are missing any kingpin machinery details... + if xpCertsDir != "" { + *certsDir = xpCertsDir + } + } + + mgr, err := ctrl.NewManager(ratelimiter.LimitRESTConfig(cfg, *maxReconcileRate), ctrl.Options{ + LeaderElection: *leaderElection, + LeaderElectionID: "crossplane-leader-election-provider-upjet-gcp-beta-networksecurity", + Cache: cache.Options{ + SyncPeriod: syncInterval, + }, + WebhookServer: webhook.NewServer( + webhook.Options{ + CertDir: *certsDir, + }), + LeaderElectionResourceLock: resourcelock.LeasesResourceLock, + LeaseDuration: func() *time.Duration { d := 60 * time.Second; return &d }(), + RenewDeadline: func() *time.Duration { d := 50 * time.Second; return &d }(), + }) + kingpin.FatalIfError(err, "Cannot create controller manager") + kingpin.FatalIfError(apis.AddToScheme(mgr.GetScheme()), "Cannot add GCP APIs to scheme") + kingpin.FatalIfError(resolverapis.BuildScheme(apis.AddToSchemes), "Cannot register the GCP APIs with the API resolver's runtime scheme") + + metricRecorder := managed.NewMRMetricRecorder() + stateMetrics := statemetrics.NewMRStateMetrics() + + metrics.Registry.MustRegister(metricRecorder) + metrics.Registry.MustRegister(stateMetrics) + + ctx := context.Background() + provider, err := config.GetProvider(ctx, false) + kingpin.FatalIfError(err, "Cannot initialize the provider configuration") + o := tjcontroller.Options{ + Options: xpcontroller.Options{ + Logger: logr, + GlobalRateLimiter: ratelimiter.NewGlobal(*maxReconcileRate), + PollInterval: *pollInterval, + MaxConcurrentReconciles: *maxReconcileRate, + Features: &feature.Flags{}, + MetricOptions: &xpcontroller.MetricOptions{ + PollStateMetricInterval: *pollStateMetricInterval, + MRMetrics: metricRecorder, + MRStateMetrics: stateMetrics, + }, + }, + Provider: provider, + SetupFn: clients.TerraformSetupBuilder(provider.TerraformProvider), + PollJitter: pollJitter, + OperationTrackerStore: tjcontroller.NewOperationStore(logr), + StartWebhooks: *certsDir != "", + } + + if *enableManagementPolicies { + o.Features.Enable(features.EnableBetaManagementPolicies) + logr.Info("Beta feature enabled", "flag", features.EnableBetaManagementPolicies) + } + + if *enableExternalSecretStores { + o.SecretStoreConfigGVK = &v1alpha1.StoreConfigGroupVersionKind + logr.Info("Alpha feature enabled", "flag", features.EnableAlphaExternalSecretStores) + + o.ESSOptions = &tjcontroller.ESSOptions{} + if *essTLSCertsPath != "" { + logr.Info("ESS TLS certificates path is set. Loading mTLS configuration.") + tCfg, err := certificates.LoadMTLSConfig(filepath.Join(*essTLSCertsPath, "ca.crt"), filepath.Join(*essTLSCertsPath, "tls.crt"), filepath.Join(*essTLSCertsPath, "tls.key"), false) + kingpin.FatalIfError(err, "Cannot load ESS TLS config.") + + o.ESSOptions.TLSConfig = tCfg + } + + // Ensure default store config exists. + kingpin.FatalIfError(resource.Ignore(kerrors.IsAlreadyExists, mgr.GetClient().Create(ctx, &v1alpha1.StoreConfig{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + }, + Spec: v1alpha1.StoreConfigSpec{ + // NOTE(turkenh): We only set required spec and expect optional + // ones to properly be initialized with CRD level default values. + SecretStoreConfig: xpv1.SecretStoreConfig{ + DefaultScope: *namespace, + }, + }, + Status: v1alpha1.StoreConfigStatus{}, + })), "cannot create default store config") + } + + kingpin.FatalIfError(conversion.RegisterConversions(o.Provider), "Cannot initialize the webhook conversion registry") + kingpin.FatalIfError(controller.Setup_networksecurity(mgr, o), "Cannot setup GCP controllers") + kingpin.FatalIfError(mgr.Start(ctrl.SetupSignalHandler()), "Cannot start controller manager") +} diff --git a/config/externalname.go b/config/externalname.go index 55a80d0..17d3985 100644 --- a/config/externalname.go +++ b/config/externalname.go @@ -28,6 +28,11 @@ var terraformPluginSDKExternalNameConfigs = map[string]config.ExternalName{ "google_container_cluster": config.TemplatedStringAsIdentifier("name", "projects/{{ .setup.configuration.project }}/locations/{{ .parameters.location }}/clusters/{{ .external_name }}"), // Imported by using the following format: my-gcp-project/us-east1-a/my-cluster/main-pool "google_container_node_pool": config.TemplatedStringAsIdentifier("name", "{{ .setup.configuration.project }}/{{ .parameters.location }}/{{ .parameters.cluster }}/{{ .external_name }}"), + + // networksecurity + // + // The resource can be imported using projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}} + "google_network_security_server_tls_policy": config.TemplatedStringAsIdentifier("name", "projects/{{ .setup.configuration.project }}/locations/{{ .parameters.location }}/serverTlsPolicies/{{ .external_name }}"), } // cliReconciledExternalNameConfigs contains all external name configurations diff --git a/config/generated.lst b/config/generated.lst index 9fa710c..5b0514c 100644 --- a/config/generated.lst +++ b/config/generated.lst @@ -1 +1 @@ -["google_container_cluster","google_container_node_pool","google_project_service_identity","google_service_account"] \ No newline at end of file +["google_container_cluster","google_container_node_pool","google_network_security_server_tls_policy","google_project_service_identity","google_service_account"] \ No newline at end of file diff --git a/config/networksecurity/config.go b/config/networksecurity/config.go new file mode 100644 index 0000000..5efc2a4 --- /dev/null +++ b/config/networksecurity/config.go @@ -0,0 +1,17 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: CC0-1.0 + +package networksecurity + +import "github.com/crossplane/upjet/pkg/config" + +// Configure configures individual resources by adding custom +// ResourceConfigurators. +func Configure(p *config.Provider) { + p.AddResourceConfigurator("google_network_security_server_tls_policy", func(r *config.Resource) { + config.MarkAsRequired(r.TerraformResource, "location") + r.ShortGroup = "networksecurity" + r.Kind = "ServerTLSPolicy" + }) +} diff --git a/config/provider.go b/config/provider.go index 3932b14..2ce04fc 100644 --- a/config/provider.go +++ b/config/provider.go @@ -24,6 +24,7 @@ import ( "github.com/pkg/errors" "github.com/upbound/provider-gcp-beta/config/container" + "github.com/upbound/provider-gcp-beta/config/networksecurity" "github.com/upbound/provider-gcp-beta/hack" ) @@ -180,6 +181,7 @@ func GetProvider(_ context.Context, generationProvider bool) (*ujconfig.Provider bumpVersionsWithEmbeddedLists(pc) for _, configure := range []func(provider *ujconfig.Provider){ container.Configure, + networksecurity.Configure, } { configure(pc) } diff --git a/examples-generated/networksecurity/v1beta1/servertlspolicy.yaml b/examples-generated/networksecurity/v1beta1/servertlspolicy.yaml new file mode 100644 index 0000000..fed035e --- /dev/null +++ b/examples-generated/networksecurity/v1beta1/servertlspolicy.yaml @@ -0,0 +1,21 @@ +apiVersion: networksecurity.gcp-beta.upbound.io/v1beta1 +kind: ServerTLSPolicy +metadata: + annotations: + meta.upbound.io/example-id: networksecurity/v1beta1/servertlspolicy + labels: + testing.upbound.io/example-name: default + name: default +spec: + forProvider: + allowOpen: "false" + description: my description + labels: + foo: bar + mtlsPolicy: + - clientValidationCa: + - grpcEndpoint: + - targetUri: unix:mypath + serverCertificate: + - certificateProviderInstance: + - pluginInstance: google_cloud_private_spiffe diff --git a/examples/networksecurity/v1beta1/servertlspolicy.yaml b/examples/networksecurity/v1beta1/servertlspolicy.yaml new file mode 100644 index 0000000..a67d2dd --- /dev/null +++ b/examples/networksecurity/v1beta1/servertlspolicy.yaml @@ -0,0 +1,22 @@ +apiVersion: networksecurity.gcp-beta.upbound.io/v1beta1 +kind: ServerTLSPolicy +metadata: + annotations: + meta.upbound.io/example-id: networksecurity/v1beta1/servertlspolicy + labels: + testing.upbound.io/example-name: default + name: default +spec: + forProvider: + location: global + allowOpen: false + description: my description + labels: + foo: bar + mtlsPolicy: + clientValidationCa: + - grpcEndpoint: + targetUri: unix:mypath + serverCertificate: + certificateProviderInstance: + pluginInstance: google_cloud_private_spiffe diff --git a/internal/controller/networksecurity/servertlspolicy/zz_controller.go b/internal/controller/networksecurity/servertlspolicy/zz_controller.go new file mode 100755 index 0000000..c795e7b --- /dev/null +++ b/internal/controller/networksecurity/servertlspolicy/zz_controller.go @@ -0,0 +1,92 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package servertlspolicy + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + + v1beta1 "github.com/upbound/provider-gcp-beta/apis/networksecurity/v1beta1" + features "github.com/upbound/provider-gcp-beta/internal/features" +) + +// Setup adds a controller that reconciles ServerTLSPolicy managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1beta1.ServerTLSPolicy_GroupVersionKind.String()) + var initializers managed.InitializerChain + initializers = append(initializers, managed.NewNameAsExternalName(mgr.GetClient())) + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) + } + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1beta1.ServerTLSPolicy_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ServerTLSPolicy_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["google_network_security_server_tls_policy"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1beta1.ServerTLSPolicy_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + } + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1beta1.ServerTLSPolicy + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1beta1.ServerTLSPolicy{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1beta1.ServerTLSPolicy") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1beta1.ServerTLSPolicyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1beta1.ServerTLSPolicyList") + } + } + + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ServerTLSPolicy_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(xpresource.DesiredStateChanged()). + Watches(&v1beta1.ServerTLSPolicy{}, eventHandler). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/zz_monolith_setup.go b/internal/controller/zz_monolith_setup.go index f0261d7..c7ef455 100755 --- a/internal/controller/zz_monolith_setup.go +++ b/internal/controller/zz_monolith_setup.go @@ -13,6 +13,7 @@ import ( serviceaccount "github.com/upbound/provider-gcp-beta/internal/controller/cloudplatform/serviceaccount" cluster "github.com/upbound/provider-gcp-beta/internal/controller/container/cluster" nodepool "github.com/upbound/provider-gcp-beta/internal/controller/container/nodepool" + servertlspolicy "github.com/upbound/provider-gcp-beta/internal/controller/networksecurity/servertlspolicy" providerconfig "github.com/upbound/provider-gcp-beta/internal/controller/providerconfig" ) @@ -24,6 +25,7 @@ func Setup_monolith(mgr ctrl.Manager, o controller.Options) error { serviceaccount.Setup, cluster.Setup, nodepool.Setup, + servertlspolicy.Setup, providerconfig.Setup, } { if err := setup(mgr, o); err != nil { diff --git a/internal/controller/zz_networksecurity_setup.go b/internal/controller/zz_networksecurity_setup.go new file mode 100755 index 0000000..48e809d --- /dev/null +++ b/internal/controller/zz_networksecurity_setup.go @@ -0,0 +1,26 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +package controller + +import ( + ctrl "sigs.k8s.io/controller-runtime" + + "github.com/crossplane/upjet/pkg/controller" + + servertlspolicy "github.com/upbound/provider-gcp-beta/internal/controller/networksecurity/servertlspolicy" +) + +// Setup_networksecurity creates all controllers with the supplied logger and adds them to +// the supplied manager. +func Setup_networksecurity(mgr ctrl.Manager, o controller.Options) error { + for _, setup := range []func(ctrl.Manager, controller.Options) error{ + servertlspolicy.Setup, + } { + if err := setup(mgr, o); err != nil { + return err + } + } + return nil +} diff --git a/package/crds/networksecurity.gcp-beta.upbound.io_servertlspolicies.yaml b/package/crds/networksecurity.gcp-beta.upbound.io_servertlspolicies.yaml new file mode 100644 index 0000000..58c711c --- /dev/null +++ b/package/crds/networksecurity.gcp-beta.upbound.io_servertlspolicies.yaml @@ -0,0 +1,674 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: servertlspolicies.networksecurity.gcp-beta.upbound.io +spec: + group: networksecurity.gcp-beta.upbound.io + names: + categories: + - crossplane + - managed + - gcp-beta + kind: ServerTLSPolicy + listKind: ServerTLSPolicyList + plural: servertlspolicies + singular: servertlspolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: ServerTLSPolicy is the Schema for the ServerTLSPolicys API. ClientTlsPolicy + is a resource that specifies how a client should authenticate connections + to backends of a service. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServerTLSPolicySpec defines the desired state of ServerTLSPolicy + properties: + deletionPolicy: + default: Delete + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + allowOpen: + description: |- + This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. + Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. + Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. + type: boolean + description: + description: A free-text description of the resource. Max length + 1024 characters. + type: string + labels: + additionalProperties: + type: string + description: |- + Set of label tags associated with the ServerTlsPolicy resource. + Note: This field is non-authoritative, and will only manage the labels present in your configuration. + Please refer to the field effective_labels for all of the labels present on the resource. + type: object + x-kubernetes-map-type: granular + location: + description: |- + The location of the server tls policy. + The default value is global. + type: string + mtlsPolicy: + description: |- + This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. + Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. + Structure is documented below. + properties: + clientValidationCa: + description: |- + Required if the policy is to be used with Traffic Director. For external HTTPS load balancers it must be empty. + Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate. + Structure is documented below. + items: + properties: + certificateProviderInstance: + description: |- + Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + Structure is documented below. + properties: + pluginInstance: + description: Plugin instance name, used to locate + and load CertificateProvider instance configuration. + Set to "google_cloud_private_spiffe" to use Certificate + Authority Service certificate provider instance. + type: string + type: object + grpcEndpoint: + description: |- + gRPC specific configuration to access the gRPC server to obtain the cert and private key. + Structure is documented below. + properties: + targetUri: + description: The target URI of the gRPC endpoint. + Only UDS path is supported, and should start with + "unix:". + type: string + type: object + type: object + type: array + clientValidationMode: + description: |- + When the client presents an invalid certificate or no certificate to the load balancer, the clientValidationMode specifies how the client connection is handled. + Required if the policy is to be used with the external HTTPS load balancing. For Traffic Director it must be empty. + Possible values are: CLIENT_VALIDATION_MODE_UNSPECIFIED, ALLOW_INVALID_OR_MISSING_CLIENT_CERT, REJECT_INVALID. + type: string + clientValidationTrustConfig: + description: |- + Reference to the TrustConfig from certificatemanager.googleapis.com namespace. + If specified, the chain validation will be performed against certificates configured in the given TrustConfig. + Allowed only if the policy is to be used with external HTTPS load balancers. + type: string + type: object + project: + description: |- + The ID of the project in which the resource belongs. + If it is not provided, the provider project is used. + type: string + serverCertificate: + description: |- + Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. + Structure is documented below. + properties: + certificateProviderInstance: + description: |- + Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + Structure is documented below. + properties: + pluginInstance: + description: Plugin instance name, used to locate and + load CertificateProvider instance configuration. Set + to "google_cloud_private_spiffe" to use Certificate + Authority Service certificate provider instance. + type: string + type: object + grpcEndpoint: + description: |- + gRPC specific configuration to access the gRPC server to obtain the cert and private key. + Structure is documented below. + properties: + targetUri: + description: The target URI of the gRPC endpoint. Only + UDS path is supported, and should start with "unix:". + type: string + type: object + type: object + required: + - location + type: object + initProvider: + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. + properties: + allowOpen: + description: |- + This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. + Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. + Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. + type: boolean + description: + description: A free-text description of the resource. Max length + 1024 characters. + type: string + labels: + additionalProperties: + type: string + description: |- + Set of label tags associated with the ServerTlsPolicy resource. + Note: This field is non-authoritative, and will only manage the labels present in your configuration. + Please refer to the field effective_labels for all of the labels present on the resource. + type: object + x-kubernetes-map-type: granular + mtlsPolicy: + description: |- + This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. + Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. + Structure is documented below. + properties: + clientValidationCa: + description: |- + Required if the policy is to be used with Traffic Director. For external HTTPS load balancers it must be empty. + Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate. + Structure is documented below. + items: + properties: + certificateProviderInstance: + description: |- + Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + Structure is documented below. + properties: + pluginInstance: + description: Plugin instance name, used to locate + and load CertificateProvider instance configuration. + Set to "google_cloud_private_spiffe" to use Certificate + Authority Service certificate provider instance. + type: string + type: object + grpcEndpoint: + description: |- + gRPC specific configuration to access the gRPC server to obtain the cert and private key. + Structure is documented below. + properties: + targetUri: + description: The target URI of the gRPC endpoint. + Only UDS path is supported, and should start with + "unix:". + type: string + type: object + type: object + type: array + clientValidationMode: + description: |- + When the client presents an invalid certificate or no certificate to the load balancer, the clientValidationMode specifies how the client connection is handled. + Required if the policy is to be used with the external HTTPS load balancing. For Traffic Director it must be empty. + Possible values are: CLIENT_VALIDATION_MODE_UNSPECIFIED, ALLOW_INVALID_OR_MISSING_CLIENT_CERT, REJECT_INVALID. + type: string + clientValidationTrustConfig: + description: |- + Reference to the TrustConfig from certificatemanager.googleapis.com namespace. + If specified, the chain validation will be performed against certificates configured in the given TrustConfig. + Allowed only if the policy is to be used with external HTTPS load balancers. + type: string + type: object + project: + description: |- + The ID of the project in which the resource belongs. + If it is not provided, the provider project is used. + type: string + serverCertificate: + description: |- + Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. + Structure is documented below. + properties: + certificateProviderInstance: + description: |- + Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + Structure is documented below. + properties: + pluginInstance: + description: Plugin instance name, used to locate and + load CertificateProvider instance configuration. Set + to "google_cloud_private_spiffe" to use Certificate + Authority Service certificate provider instance. + type: string + type: object + grpcEndpoint: + description: |- + gRPC specific configuration to access the gRPC server to obtain the cert and private key. + Structure is documented below. + properties: + targetUri: + description: The target URI of the gRPC endpoint. Only + UDS path is supported, and should start with "unix:". + type: string + type: object + type: object + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. + type: object + type: + description: |- + Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: ServerTLSPolicyStatus defines the observed state of ServerTLSPolicy. + properties: + atProvider: + properties: + allowOpen: + description: |- + This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. + Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. + Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. + type: boolean + createTime: + description: Time the ServerTlsPolicy was created in UTC. + type: string + description: + description: A free-text description of the resource. Max length + 1024 characters. + type: string + effectiveLabels: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: granular + id: + description: an identifier for the resource with format projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}} + type: string + labels: + additionalProperties: + type: string + description: |- + Set of label tags associated with the ServerTlsPolicy resource. + Note: This field is non-authoritative, and will only manage the labels present in your configuration. + Please refer to the field effective_labels for all of the labels present on the resource. + type: object + x-kubernetes-map-type: granular + location: + description: |- + The location of the server tls policy. + The default value is global. + type: string + mtlsPolicy: + description: |- + This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. + Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. + Structure is documented below. + properties: + clientValidationCa: + description: |- + Required if the policy is to be used with Traffic Director. For external HTTPS load balancers it must be empty. + Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate. + Structure is documented below. + items: + properties: + certificateProviderInstance: + description: |- + Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + Structure is documented below. + properties: + pluginInstance: + description: Plugin instance name, used to locate + and load CertificateProvider instance configuration. + Set to "google_cloud_private_spiffe" to use Certificate + Authority Service certificate provider instance. + type: string + type: object + grpcEndpoint: + description: |- + gRPC specific configuration to access the gRPC server to obtain the cert and private key. + Structure is documented below. + properties: + targetUri: + description: The target URI of the gRPC endpoint. + Only UDS path is supported, and should start with + "unix:". + type: string + type: object + type: object + type: array + clientValidationMode: + description: |- + When the client presents an invalid certificate or no certificate to the load balancer, the clientValidationMode specifies how the client connection is handled. + Required if the policy is to be used with the external HTTPS load balancing. For Traffic Director it must be empty. + Possible values are: CLIENT_VALIDATION_MODE_UNSPECIFIED, ALLOW_INVALID_OR_MISSING_CLIENT_CERT, REJECT_INVALID. + type: string + clientValidationTrustConfig: + description: |- + Reference to the TrustConfig from certificatemanager.googleapis.com namespace. + If specified, the chain validation will be performed against certificates configured in the given TrustConfig. + Allowed only if the policy is to be used with external HTTPS load balancers. + type: string + type: object + project: + description: |- + The ID of the project in which the resource belongs. + If it is not provided, the provider project is used. + type: string + serverCertificate: + description: |- + Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. + Structure is documented below. + properties: + certificateProviderInstance: + description: |- + Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. + Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported. + Structure is documented below. + properties: + pluginInstance: + description: Plugin instance name, used to locate and + load CertificateProvider instance configuration. Set + to "google_cloud_private_spiffe" to use Certificate + Authority Service certificate provider instance. + type: string + type: object + grpcEndpoint: + description: |- + gRPC specific configuration to access the gRPC server to obtain the cert and private key. + Structure is documented below. + properties: + targetUri: + description: The target URI of the gRPC endpoint. Only + UDS path is supported, and should start with "unix:". + type: string + type: object + type: object + terraformLabels: + additionalProperties: + type: string + description: |- + The combination of labels configured directly on the resource + and default labels configured on the provider. + type: object + x-kubernetes-map-type: granular + updateTime: + description: Time the ServerTlsPolicy was updated in UTC. + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {}