added token role and token creation

OWNERS.md

@@ -9,5 +9,6 @@ organization](https://github.com/upbound/) will list their repository maintainer
 
 * Alper Ulucinar <[email protected]> ([ulucinar](https://github.com/ulucinar))
 * Sergen Yalcin <[email protected]> ([sergenyalcin](https://github.com/sergenyalcin))
+* Markus Schweig <[email protected]> ([humoflife](https://github.com/humoflife))
 
 See [CODEOWNERS](./CODEOWNERS) for automatic PR assignment.

apis/v1beta1/types.go

@@ -16,12 +16,99 @@ type ProviderConfigSpec struct {
 	// This is a URL with a scheme, a hostname
 	// and a port but with no path.
 	Address string `json:"address"`
-	// Optional Token, but only auth method for now.
-	// Token string `json:"token"`
+
+	// Optional. If true the environment variable
+	// VAULT_ADDR in the Terraform process environment
+	// will be set to the value of the address argument
+	// from this provider. By default, this is false.
+	AddAddressToEnv bool `json:"add_address_to_env, omitempty"`
+
+	// Optional. Set this to true to disable verification
+	// of the Vault server's TLS certificate. This is
+	// strongly discouraged except in prototype or
+	// development environments, since it exposes the
+	// possibility that Terraform can be tricked into
+	// writing secrets to a server controlled by an intruder.
+	SkipTlsVerify bool `json:"skip_tls_verify, omitempty"`
+
+	// Optional. Name to use as the SNI host when connecting
+	// via TLS.
+	TlsServerName string `json:"tls_server_name, omitempty"`
+
+	// Optional. Set this to true to disable creation of an
+	// intermediate ephemeral Vault token for Terraform to use.
+	// Enabling this is strongly discouraged since it increases
+	// the potential for a renewable Vault token being exposed
+	// in clear text. Only change this setting when the provided
+	// token cannot be permitted to create child tokens and there
+	// is no risk of exposure from the output of Terraform.
+	SkipChildToken bool `json:"skip_child_token, omitempty"`
+
+	// Optional. Used as the duration for the intermediate Vault
+	// token Terraform issues itself, which in turn limits the
+	// duration of secret leases issued by Vault. Defaults to
+	// 20 minutes.
+	MaxLeaseTtlSeconds int `json:"max_lease_ttl_seconds, omitempty"`
+
+	// Optional. Used as the maximum number of retries when a
+	// 5xx error code is encountered. Defaults to 2 retries.
+	MaxRetries int `json:"max_retries, omitempty"`
+
+	// Optional. Maximum number of retries for Client Controlled
+	// Consistency related operations. Defaults to 10 retries.
+	MaxRetriesCcc int `json:"max_retries_ccc, omitempty"`
+
+	// Optional. Set the namespace to use.
+	Namespace string `json:"namespace, omitempty"`
+
+	// Optional. Skip the dynamic fetching of the Vault server
+	// version. Set to true when the /sys/seal-status API
+	// endpoint is not available.
+	SkipGetVaultVersion bool `json:"skip_get_vault_version, omitempty"`
+
+	// Optional. Override the target Vault server semantic
+	// version. Normally the version is dynamically set
+	// from the /sys/seal-status API endpoint. In the case
+	// where this endpoint is not available an override can
+	// be specified here.
+	VaultVersionOverride string `json:"vault_version_override", omitempty"`
+
+	// Optional. A configuration block, described below,
+	// that provides headers to be sent along with all
+	// requests to the Vault server. This block can be
+	// specified multiple times.
+	//
+	// Headers are not supported for now
+	// Headers ProviderHeaders `json:"headers, omitempty"`
+
 	// Credentials required to authenticate to this provider.
+	// There are many options to authenticate. They include
+	// - token - (Optional) Vault token that will be used
+	// by Terraform to authenticate. May be set via the
+	// VAULT_TOKEN environment variable. If none is otherwise
+	// supplied, Terraform will attempt to read it from
+	// ~/.vault-token (where the vault command stores its
+	// current token). Terraform will issue itself a new token
+	// that is a child of the one given, with a short TTL to
+	// limit the exposure of any requested secrets, unless
+	// skip_child_token is set to true (see below). Note
+	// that the given token must have the update capability
+	// on the auth/token/create path in Vault in order to create
+	// child tokens. A token is required for the provider. A
+	// token can explicitly set via token argument, alternatively
+	// a token can be dynamically set via an auth_login* block.
 	Credentials ProviderCredentials `json:"credentials"`
 }
 
+// ProviderHeaders optional.
+// Headers are not supported for now
+// type ProviderHeaders struct {
+// Required header name
+// 	name string `json:"name"`
+// Required header value
+// 	value string `json:"value"`
+// }
+
 // ProviderCredentials required to authenticate.
 type ProviderCredentials struct {
 	// Source of the provider credentials.

examples/adsecretrole/adsecretrole.yaml

@@ -8,6 +8,6 @@ spec:
     role: customer_success
     serviceAccountName: customer_success
     ttl: 60
-    #namespace: upbound-system
+    namespace: vault-test
   providerConfigRef:
     name: vault-provider-config

examples/token/token.yaml

@@ -0,0 +1,12 @@
+apiVersion: vault.vault.upbound.io/v1alpha1
+kind: Token
+metadata:
+  name: vault-token
+spec:
+  forProvider:
+    roleName: "app"
+    ttl: "24h"
+    renewMinLease: 43200
+    renewIncrement: 86400
+  providerConfigRef:
+    name: vault-provider-config

examples/tokenauthbackendrole/tokenauthbackendrole.yaml

@@ -0,0 +1,9 @@
+apiVersion: token.vault.upbound.io/v1alpha1
+kind: AuthBackendRole
+metadata:
+  name: app
+spec:
+  forProvider:
+    roleName: "app"
+  providerConfigRef:
+    name: vault-provider-config

internal/clients/vault.go

@@ -94,7 +94,30 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr
 
 		// Assign mandatory address parameter
 		ps.Configuration[keyAddress] = pc.Spec.Address
-		//ps.Configuration[keyToken] = pc.Spec.Token
+
+		// ps.Configuration[keySkipTlsVerify] = pc.Spec.SkipTlsVerify
+		// if pc.Spec.TlsServerName != "" {
+		// 	ps.Configuration[keyTlsServerName] = pc.Spec.TlsServerName
+		// }
+		// ps.Configuration[keySkipChildToken] = pc.Spec.SkipChildToken
+		// if pc.Spec.MaxLeaseTtlSeconds != 0 {
+		// 	ps.Configuration[keyMaxLeaseTtlSeconds] = pc.Spec.MaxLeaseTtlSeconds
+		// }
+		// if pc.Spec.MaxRetries != 0 {
+		// 	ps.Configuration[keyMaxRetries] = pc.Spec.MaxRetries
+		// }
+		// if pc.Spec.MaxRetriesCcc != 0 {
+		// 	ps.Configuration[keyMaxRetriesCcc] = pc.Spec.MaxRetriesCcc
+		// }
+		// if pc.Spec.Namespace != "" {
+		// 	ps.Configuration[keyNamespace] = pc.Spec.Namespace
+		// }
+		// ps.Configuration[keySkipGetVaultVersion] = pc.Spec.SkipGetVaultVersion
+		// ps.Configuration[keyVaultVersionOverride] = pc.Spec.VaultVersionOverride
+		// Headers are not supported for now
+		// if pc.Spec.Headers != (v1beta1.ProviderHeaders{}) {
+		// 		ps.Configuration[keyHeaders] = pc.Spec.Headers
+		// }
 
 		data, err := resource.CommonCredentialExtractor(ctx, pc.Spec.Credentials.Source, client, pc.Spec.Credentials.CommonCredentialSelectors)
 		if err != nil {
@@ -163,36 +186,6 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr
 		if v, ok := creds[keyClientAuth]; ok {
 			ps.Configuration[keyClientAuth] = v
 		}
-		if v, ok := creds[keySkipTlsVerify]; ok {
-			ps.Configuration[keySkipTlsVerify] = v
-		}
-		if v, ok := creds[keyTlsServerName]; ok {
-			ps.Configuration[keyTlsServerName] = v
-		}
-		if v, ok := creds[keySkipChildToken]; ok {
-			ps.Configuration[keySkipChildToken] = v
-		}
-		if v, ok := creds[keyMaxLeaseTtlSeconds]; ok {
-			ps.Configuration[keyMaxLeaseTtlSeconds] = v
-		}
-		if v, ok := creds[keyMaxRetries]; ok {
-			ps.Configuration[keyMaxRetries] = v
-		}
-		if v, ok := creds[keyMaxRetriesCcc]; ok {
-			ps.Configuration[keyMaxRetriesCcc] = v
-		}
-		if v, ok := creds[keyNamespace]; ok {
-			ps.Configuration[keyNamespace] = v
-		}
-		if v, ok := creds[keySkipGetVaultVersion]; ok {
-			ps.Configuration[keySkipGetVaultVersion] = v
-		}
-		if v, ok := creds[keyVaultVersionOverride]; ok {
-			ps.Configuration[keyVaultVersionOverride] = v
-		}
-		if v, ok := creds[keyHeaders]; ok {
-			ps.Configuration[keyHeaders] = v
-		}
 		return ps, nil
 	}
 }

package/crds/vault.upbound.io_providerconfigs.yaml

@@ -47,13 +47,29 @@ spec:
           spec:
             description: A ProviderConfigSpec defines the desired state of a ProviderConfig.
             properties:
+              add_address_to_env:
+                description: Optional. If true the environment variable VAULT_ADDR
+                  in the Terraform process environment will be set to the value of
+                  the address argument from this provider. By default, this is false.
+                type: boolean
               address:
                 description: Required origin URL of the Vault server. This is a URL
                   with a scheme, a hostname and a port but with no path.
                 type: string
               credentials:
-                description: Optional Token, but only auth method for now. Token string
-                  `json:"token"` Credentials required to authenticate to this provider.
+                description: Credentials required to authenticate to this provider.
+                  There are many options to authenticate. They include - token - (Optional)
+                  Vault token that will be used by Terraform to authenticate. May
+                  be set via the VAULT_TOKEN environment variable. If none is otherwise
+                  supplied, Terraform will attempt to read it from ~/.vault-token
+                  (where the vault command stores its current token). Terraform will
+                  issue itself a new token that is a child of the one given, with
+                  a short TTL to limit the exposure of any requested secrets, unless
+                  skip_child_token is set to true (see below). Note that the given
+                  token must have the update capability on the auth/token/create path
+                  in Vault in order to create child tokens. A token is required for
+                  the provider. A token can explicitly set via token argument, alternatively
+                  a token can be dynamically set via an auth_login* block.
                 properties:
                   env:
                     description: Env is a reference to an environment variable that
@@ -105,9 +121,66 @@ spec:
                 required:
                 - source
                 type: object
+              max_lease_ttl_seconds:
+                description: Optional. Used as the duration for the intermediate Vault
+                  token Terraform issues itself, which in turn limits the duration
+                  of secret leases issued by Vault. Defaults to 20 minutes.
+                type: integer
+              max_retries:
+                description: Optional. Used as the maximum number of retries when
+                  a 5xx error code is encountered. Defaults to 2 retries.
+                type: integer
+              max_retries_ccc:
+                description: Optional. Maximum number of retries for Client Controlled
+                  Consistency related operations. Defaults to 10 retries.
+                type: integer
+              namespace:
+                description: Optional. Set the namespace to use.
+                type: string
+              skip_child_token:
+                description: Optional. Set this to true to disable creation of an
+                  intermediate ephemeral Vault token for Terraform to use. Enabling
+                  this is strongly discouraged since it increases the potential for
+                  a renewable Vault token being exposed in clear text. Only change
+                  this setting when the provided token cannot be permitted to create
+                  child tokens and there is no risk of exposure from the output of
+                  Terraform.
+                type: boolean
+              skip_get_vault_version:
+                description: Optional. Skip the dynamic fetching of the Vault server
+                  version. Set to true when the /sys/seal-status API endpoint is not
+                  available.
+                type: boolean
+              skip_tls_verify:
+                description: Optional. Set this to true to disable verification of
+                  the Vault server's TLS certificate. This is strongly discouraged
+                  except in prototype or development environments, since it exposes
+                  the possibility that Terraform can be tricked into writing secrets
+                  to a server controlled by an intruder.
+                type: boolean
+              tls_server_name:
+                description: Optional. Name to use as the SNI host when connecting
+                  via TLS.
+                type: string
+              vault_version_override:
+                description: Optional. Override the target Vault server semantic version.
+                  Normally the version is dynamically set from the /sys/seal-status
+                  API endpoint. In the case where this endpoint is not available an
+                  override can be specified here.
+                type: string
             required:
+            - add_address_to_env
             - address
             - credentials
+            - max_lease_ttl_seconds
+            - max_retries
+            - max_retries_ccc
+            - namespace
+            - skip_child_token
+            - skip_get_vault_version
+            - skip_tls_verify
+            - tls_server_name
+            - vault_version_override
             type: object
           status:
             description: A ProviderConfigStatus reflects the observed state of a ProviderConfig.