diff --git a/apis/cluster/identityprovider/v1alpha1/zz_generated.conversion_hubs.go b/apis/cluster/identityprovider/v1alpha1/zz_generated.conversion_hubs.go index 79ae961b..92930803 100755 --- a/apis/cluster/identityprovider/v1alpha1/zz_generated.conversion_hubs.go +++ b/apis/cluster/identityprovider/v1alpha1/zz_generated.conversion_hubs.go @@ -8,3 +8,6 @@ package v1alpha1 // Hub marks this type as a conversion hub. func (tr *IdentityProviderMapper) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *ProviderTokenExchangeScopePermission) Hub() {} diff --git a/apis/cluster/identityprovider/v1alpha1/zz_generated.deepcopy.go b/apis/cluster/identityprovider/v1alpha1/zz_generated.deepcopy.go index 1dc2a456..973b8b66 100644 --- a/apis/cluster/identityprovider/v1alpha1/zz_generated.deepcopy.go +++ b/apis/cluster/identityprovider/v1alpha1/zz_generated.deepcopy.go @@ -284,3 +284,309 @@ func (in *IdentityProviderMapperStatus) DeepCopy() *IdentityProviderMapperStatus in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermission) DeepCopyInto(out *ProviderTokenExchangeScopePermission) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermission. +func (in *ProviderTokenExchangeScopePermission) DeepCopy() *ProviderTokenExchangeScopePermission { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermission) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ProviderTokenExchangeScopePermission) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionInitParameters) DeepCopyInto(out *ProviderTokenExchangeScopePermissionInitParameters) { + *out = *in + if in.Clients != nil { + in, out := &in.Clients, &out.Clients + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.ClientsRefs != nil { + in, out := &in.ClientsRefs, &out.ClientsRefs + *out = make([]v1.Reference, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ClientsSelector != nil { + in, out := &in.ClientsSelector, &out.ClientsSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.PolicyType != nil { + in, out := &in.PolicyType, &out.PolicyType + *out = new(string) + **out = **in + } + if in.ProviderAlias != nil { + in, out := &in.ProviderAlias, &out.ProviderAlias + *out = new(string) + **out = **in + } + if in.ProviderAliasRef != nil { + in, out := &in.ProviderAliasRef, &out.ProviderAliasRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.ProviderAliasSelector != nil { + in, out := &in.ProviderAliasSelector, &out.ProviderAliasSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.RealmID != nil { + in, out := &in.RealmID, &out.RealmID + *out = new(string) + **out = **in + } + if in.RealmIDRef != nil { + in, out := &in.RealmIDRef, &out.RealmIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RealmIDSelector != nil { + in, out := &in.RealmIDSelector, &out.RealmIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionInitParameters. +func (in *ProviderTokenExchangeScopePermissionInitParameters) DeepCopy() *ProviderTokenExchangeScopePermissionInitParameters { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionList) DeepCopyInto(out *ProviderTokenExchangeScopePermissionList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ProviderTokenExchangeScopePermission, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionList. +func (in *ProviderTokenExchangeScopePermissionList) DeepCopy() *ProviderTokenExchangeScopePermissionList { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ProviderTokenExchangeScopePermissionList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionObservation) DeepCopyInto(out *ProviderTokenExchangeScopePermissionObservation) { + *out = *in + if in.AuthorizationIdpResourceID != nil { + in, out := &in.AuthorizationIdpResourceID, &out.AuthorizationIdpResourceID + *out = new(string) + **out = **in + } + if in.AuthorizationResourceServerID != nil { + in, out := &in.AuthorizationResourceServerID, &out.AuthorizationResourceServerID + *out = new(string) + **out = **in + } + if in.AuthorizationTokenExchangeScopePermissionID != nil { + in, out := &in.AuthorizationTokenExchangeScopePermissionID, &out.AuthorizationTokenExchangeScopePermissionID + *out = new(string) + **out = **in + } + if in.Clients != nil { + in, out := &in.Clients, &out.Clients + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.PolicyID != nil { + in, out := &in.PolicyID, &out.PolicyID + *out = new(string) + **out = **in + } + if in.PolicyType != nil { + in, out := &in.PolicyType, &out.PolicyType + *out = new(string) + **out = **in + } + if in.ProviderAlias != nil { + in, out := &in.ProviderAlias, &out.ProviderAlias + *out = new(string) + **out = **in + } + if in.RealmID != nil { + in, out := &in.RealmID, &out.RealmID + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionObservation. +func (in *ProviderTokenExchangeScopePermissionObservation) DeepCopy() *ProviderTokenExchangeScopePermissionObservation { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionParameters) DeepCopyInto(out *ProviderTokenExchangeScopePermissionParameters) { + *out = *in + if in.Clients != nil { + in, out := &in.Clients, &out.Clients + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.ClientsRefs != nil { + in, out := &in.ClientsRefs, &out.ClientsRefs + *out = make([]v1.Reference, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ClientsSelector != nil { + in, out := &in.ClientsSelector, &out.ClientsSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.PolicyType != nil { + in, out := &in.PolicyType, &out.PolicyType + *out = new(string) + **out = **in + } + if in.ProviderAlias != nil { + in, out := &in.ProviderAlias, &out.ProviderAlias + *out = new(string) + **out = **in + } + if in.ProviderAliasRef != nil { + in, out := &in.ProviderAliasRef, &out.ProviderAliasRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.ProviderAliasSelector != nil { + in, out := &in.ProviderAliasSelector, &out.ProviderAliasSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.RealmID != nil { + in, out := &in.RealmID, &out.RealmID + *out = new(string) + **out = **in + } + if in.RealmIDRef != nil { + in, out := &in.RealmIDRef, &out.RealmIDRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.RealmIDSelector != nil { + in, out := &in.RealmIDSelector, &out.RealmIDSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionParameters. +func (in *ProviderTokenExchangeScopePermissionParameters) DeepCopy() *ProviderTokenExchangeScopePermissionParameters { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionSpec) DeepCopyInto(out *ProviderTokenExchangeScopePermissionSpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) + in.InitProvider.DeepCopyInto(&out.InitProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionSpec. +func (in *ProviderTokenExchangeScopePermissionSpec) DeepCopy() *ProviderTokenExchangeScopePermissionSpec { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionStatus) DeepCopyInto(out *ProviderTokenExchangeScopePermissionStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionStatus. +func (in *ProviderTokenExchangeScopePermissionStatus) DeepCopy() *ProviderTokenExchangeScopePermissionStatus { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionStatus) + in.DeepCopyInto(out) + return out +} diff --git a/apis/cluster/identityprovider/v1alpha1/zz_generated.managed.go b/apis/cluster/identityprovider/v1alpha1/zz_generated.managed.go index e0ac602b..90bfd1ec 100644 --- a/apis/cluster/identityprovider/v1alpha1/zz_generated.managed.go +++ b/apis/cluster/identityprovider/v1alpha1/zz_generated.managed.go @@ -56,3 +56,53 @@ func (mg *IdentityProviderMapper) SetProviderConfigReference(r *xpv1.Reference) func (mg *IdentityProviderMapper) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { mg.Spec.WriteConnectionSecretToReference = r } + +// GetCondition of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetWriteConnectionSecretToReference of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetWriteConnectionSecretToReference of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/cluster/identityprovider/v1alpha1/zz_generated.managedlist.go b/apis/cluster/identityprovider/v1alpha1/zz_generated.managedlist.go index 325295b1..a0f0f8bf 100644 --- a/apis/cluster/identityprovider/v1alpha1/zz_generated.managedlist.go +++ b/apis/cluster/identityprovider/v1alpha1/zz_generated.managedlist.go @@ -15,3 +15,12 @@ func (l *IdentityProviderMapperList) GetItems() []resource.Managed { } return items } + +// GetItems of this ProviderTokenExchangeScopePermissionList. +func (l *ProviderTokenExchangeScopePermissionList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/apis/cluster/identityprovider/v1alpha1/zz_generated.resolvers.go b/apis/cluster/identityprovider/v1alpha1/zz_generated.resolvers.go index 158be689..2819cbca 100644 --- a/apis/cluster/identityprovider/v1alpha1/zz_generated.resolvers.go +++ b/apis/cluster/identityprovider/v1alpha1/zz_generated.resolvers.go @@ -8,6 +8,7 @@ package v1alpha1 import ( "context" + common "github.com/crossplane-contrib/provider-keycloak/config/common" apisresolver "github.com/crossplane-contrib/provider-keycloak/internal/apis" reference "github.com/crossplane/crossplane-runtime/v2/pkg/reference" xpresource "github.com/crossplane/crossplane-runtime/v2/pkg/resource" @@ -66,3 +67,136 @@ func (mg *IdentityProviderMapper) ResolveReferences( // ResolveReferences of thi return nil } + +// ResolveReferences of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) ResolveReferences(ctx context.Context, c client.Reader) error { + var m xpresource.Managed + var l xpresource.ManagedList + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var mrsp reference.MultiResolutionResponse + var err error + { + m, l, err = apisresolver.GetManagedResource("openidclient.keycloak.crossplane.io", "v1alpha1", "Client", "ClientList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + mrsp, err = r.ResolveMultiple(ctx, reference.MultiResolutionRequest{ + CurrentValues: reference.FromPtrValues(mg.Spec.ForProvider.Clients), + Extract: common.UUIDExtractor(), + Namespace: mg.GetNamespace(), + References: mg.Spec.ForProvider.ClientsRefs, + Selector: mg.Spec.ForProvider.ClientsSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Clients") + } + mg.Spec.ForProvider.Clients = reference.ToPtrValues(mrsp.ResolvedValues) + mg.Spec.ForProvider.ClientsRefs = mrsp.ResolvedReferences + { + m, l, err = apisresolver.GetManagedResource("oidc.keycloak.crossplane.io", "v1alpha1", "IdentityProvider", "IdentityProviderList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.ProviderAlias), + Extract: common.IdentityProviderAliasExtractor(), + Namespace: mg.GetNamespace(), + Reference: mg.Spec.ForProvider.ProviderAliasRef, + Selector: mg.Spec.ForProvider.ProviderAliasSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.ProviderAlias") + } + mg.Spec.ForProvider.ProviderAlias = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.ProviderAliasRef = rsp.ResolvedReference + { + m, l, err = apisresolver.GetManagedResource("realm.keycloak.crossplane.io", "v1alpha1", "Realm", "RealmList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.RealmID), + Extract: reference.ExternalName(), + Namespace: mg.GetNamespace(), + Reference: mg.Spec.ForProvider.RealmIDRef, + Selector: mg.Spec.ForProvider.RealmIDSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.RealmID") + } + mg.Spec.ForProvider.RealmID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RealmIDRef = rsp.ResolvedReference + { + m, l, err = apisresolver.GetManagedResource("openidclient.keycloak.crossplane.io", "v1alpha1", "Client", "ClientList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + mrsp, err = r.ResolveMultiple(ctx, reference.MultiResolutionRequest{ + CurrentValues: reference.FromPtrValues(mg.Spec.InitProvider.Clients), + Extract: common.UUIDExtractor(), + Namespace: mg.GetNamespace(), + References: mg.Spec.InitProvider.ClientsRefs, + Selector: mg.Spec.InitProvider.ClientsSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Clients") + } + mg.Spec.InitProvider.Clients = reference.ToPtrValues(mrsp.ResolvedValues) + mg.Spec.InitProvider.ClientsRefs = mrsp.ResolvedReferences + { + m, l, err = apisresolver.GetManagedResource("oidc.keycloak.crossplane.io", "v1alpha1", "IdentityProvider", "IdentityProviderList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.ProviderAlias), + Extract: common.IdentityProviderAliasExtractor(), + Namespace: mg.GetNamespace(), + Reference: mg.Spec.InitProvider.ProviderAliasRef, + Selector: mg.Spec.InitProvider.ProviderAliasSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.ProviderAlias") + } + mg.Spec.InitProvider.ProviderAlias = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.ProviderAliasRef = rsp.ResolvedReference + { + m, l, err = apisresolver.GetManagedResource("realm.keycloak.crossplane.io", "v1alpha1", "Realm", "RealmList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.RealmID), + Extract: reference.ExternalName(), + Namespace: mg.GetNamespace(), + Reference: mg.Spec.InitProvider.RealmIDRef, + Selector: mg.Spec.InitProvider.RealmIDSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.RealmID") + } + mg.Spec.InitProvider.RealmID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.RealmIDRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/cluster/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_terraformed.go b/apis/cluster/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_terraformed.go new file mode 100755 index 00000000..e15f4064 --- /dev/null +++ b/apis/cluster/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/v2/pkg/resource" + "github.com/crossplane/upjet/v2/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this ProviderTokenExchangeScopePermission +func (mg *ProviderTokenExchangeScopePermission) GetTerraformResourceType() string { + return "keycloak_identity_provider_token_exchange_scope_permission" +} + +// GetConnectionDetailsMapping for this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource \"%s/%s\"", tr.GetNamespace(), tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource \"%s/%s\"", tr.GetNamespace(), tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource \"%s/%s\"", tr.GetNamespace(), tr.GetName()) + } + + return params, nil +} + +// LateInitialize this ProviderTokenExchangeScopePermission using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *ProviderTokenExchangeScopePermission) LateInitialize(attrs []byte) (bool, error) { + params := &ProviderTokenExchangeScopePermissionParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *ProviderTokenExchangeScopePermission) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/cluster/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_types.go b/apis/cluster/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_types.go new file mode 100755 index 00000000..40ee2fc4 --- /dev/null +++ b/apis/cluster/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_types.go @@ -0,0 +1,209 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/v2/apis/common/v1" +) + +type ProviderTokenExchangeScopePermissionInitParameters struct { + + // A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + // Ids of the clients for which a policy will be created and set on scope based token exchange permission + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/cluster/openidclient/v1alpha1.Client + // +crossplane:generate:reference:extractor=github.com/crossplane-contrib/provider-keycloak/config/common.UUIDExtractor() + // +listType=set + Clients []*string `json:"clients,omitempty" tf:"clients,omitempty"` + + // References to Client in openidclient to populate clients. + // +kubebuilder:validation:Optional + ClientsRefs []v1.Reference `json:"clientsRefs,omitempty" tf:"-"` + + // Selector for a list of Client in openidclient to populate clients. + // +kubebuilder:validation:Optional + ClientsSelector *v1.Selector `json:"clientsSelector,omitempty" tf:"-"` + + // Defaults to "client" This is also the only value policy type supported by this provider. + // Type of policy that is created. At the moment only 'client' type is supported + PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"` + + // Alias of the identity provider. + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/cluster/oidc/v1alpha1.IdentityProvider + // +crossplane:generate:reference:extractor=github.com/crossplane-contrib/provider-keycloak/config/common.IdentityProviderAliasExtractor() + ProviderAlias *string `json:"providerAlias,omitempty" tf:"provider_alias,omitempty"` + + // Reference to a IdentityProvider in oidc to populate providerAlias. + // +kubebuilder:validation:Optional + ProviderAliasRef *v1.Reference `json:"providerAliasRef,omitempty" tf:"-"` + + // Selector for a IdentityProvider in oidc to populate providerAlias. + // +kubebuilder:validation:Optional + ProviderAliasSelector *v1.Selector `json:"providerAliasSelector,omitempty" tf:"-"` + + // The realm that the identity provider exists in. + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/cluster/realm/v1alpha1.Realm + RealmID *string `json:"realmId,omitempty" tf:"realm_id,omitempty"` + + // Reference to a Realm in realm to populate realmId. + // +kubebuilder:validation:Optional + RealmIDRef *v1.Reference `json:"realmIdRef,omitempty" tf:"-"` + + // Selector for a Realm in realm to populate realmId. + // +kubebuilder:validation:Optional + RealmIDSelector *v1.Selector `json:"realmIdSelector,omitempty" tf:"-"` +} + +type ProviderTokenExchangeScopePermissionObservation struct { + + // (Computed) Resource ID representing the identity provider, this automatically created by keycloak. + // Resource id representing the identity provider, this automatically created by keycloak + AuthorizationIdpResourceID *string `json:"authorizationIdpResourceId,omitempty" tf:"authorization_idp_resource_id,omitempty"` + + // (Computed) Resource server ID representing the realm management client on which this permission is managed. + // Resource server id representing the realm management client on which this permission is managed + AuthorizationResourceServerID *string `json:"authorizationResourceServerId,omitempty" tf:"authorization_resource_server_id,omitempty"` + + // (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission. + // Permission id representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy id will be set on this permission + AuthorizationTokenExchangeScopePermissionID *string `json:"authorizationTokenExchangeScopePermissionId,omitempty" tf:"authorization_token_exchange_scope_permission_id,omitempty"` + + // A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + // Ids of the clients for which a policy will be created and set on scope based token exchange permission + // +listType=set + Clients []*string `json:"clients,omitempty" tf:"clients,omitempty"` + + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider. + // Policy id that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider + PolicyID *string `json:"policyId,omitempty" tf:"policy_id,omitempty"` + + // Defaults to "client" This is also the only value policy type supported by this provider. + // Type of policy that is created. At the moment only 'client' type is supported + PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"` + + // Alias of the identity provider. + ProviderAlias *string `json:"providerAlias,omitempty" tf:"provider_alias,omitempty"` + + // The realm that the identity provider exists in. + RealmID *string `json:"realmId,omitempty" tf:"realm_id,omitempty"` +} + +type ProviderTokenExchangeScopePermissionParameters struct { + + // A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + // Ids of the clients for which a policy will be created and set on scope based token exchange permission + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/cluster/openidclient/v1alpha1.Client + // +crossplane:generate:reference:extractor=github.com/crossplane-contrib/provider-keycloak/config/common.UUIDExtractor() + // +kubebuilder:validation:Optional + // +listType=set + Clients []*string `json:"clients,omitempty" tf:"clients,omitempty"` + + // References to Client in openidclient to populate clients. + // +kubebuilder:validation:Optional + ClientsRefs []v1.Reference `json:"clientsRefs,omitempty" tf:"-"` + + // Selector for a list of Client in openidclient to populate clients. + // +kubebuilder:validation:Optional + ClientsSelector *v1.Selector `json:"clientsSelector,omitempty" tf:"-"` + + // Defaults to "client" This is also the only value policy type supported by this provider. + // Type of policy that is created. At the moment only 'client' type is supported + // +kubebuilder:validation:Optional + PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"` + + // Alias of the identity provider. + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/cluster/oidc/v1alpha1.IdentityProvider + // +crossplane:generate:reference:extractor=github.com/crossplane-contrib/provider-keycloak/config/common.IdentityProviderAliasExtractor() + // +kubebuilder:validation:Optional + ProviderAlias *string `json:"providerAlias,omitempty" tf:"provider_alias,omitempty"` + + // Reference to a IdentityProvider in oidc to populate providerAlias. + // +kubebuilder:validation:Optional + ProviderAliasRef *v1.Reference `json:"providerAliasRef,omitempty" tf:"-"` + + // Selector for a IdentityProvider in oidc to populate providerAlias. + // +kubebuilder:validation:Optional + ProviderAliasSelector *v1.Selector `json:"providerAliasSelector,omitempty" tf:"-"` + + // The realm that the identity provider exists in. + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/cluster/realm/v1alpha1.Realm + // +kubebuilder:validation:Optional + RealmID *string `json:"realmId,omitempty" tf:"realm_id,omitempty"` + + // Reference to a Realm in realm to populate realmId. + // +kubebuilder:validation:Optional + RealmIDRef *v1.Reference `json:"realmIdRef,omitempty" tf:"-"` + + // Selector for a Realm in realm to populate realmId. + // +kubebuilder:validation:Optional + RealmIDSelector *v1.Selector `json:"realmIdSelector,omitempty" tf:"-"` +} + +// ProviderTokenExchangeScopePermissionSpec defines the desired state of ProviderTokenExchangeScopePermission +type ProviderTokenExchangeScopePermissionSpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider ProviderTokenExchangeScopePermissionParameters `json:"forProvider"` + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. + // InitProvider holds the same fields as ForProvider, with the exception + // of Identifier and other resource reference fields. The fields that are + // in InitProvider are merged into ForProvider when the resource is created. + // The same fields are also added to the terraform ignore_changes hook, to + // avoid updating them after creation. This is useful for fields that are + // required on creation, but we do not desire to update them after creation, + // for example because of an external controller is managing them, like an + // autoscaler. + InitProvider ProviderTokenExchangeScopePermissionInitParameters `json:"initProvider,omitempty"` +} + +// ProviderTokenExchangeScopePermissionStatus defines the observed state of ProviderTokenExchangeScopePermission. +type ProviderTokenExchangeScopePermissionStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider ProviderTokenExchangeScopePermissionObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// ProviderTokenExchangeScopePermission is the Schema for the ProviderTokenExchangeScopePermissions API. +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,keycloak} +type ProviderTokenExchangeScopePermission struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec ProviderTokenExchangeScopePermissionSpec `json:"spec"` + Status ProviderTokenExchangeScopePermissionStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// ProviderTokenExchangeScopePermissionList contains a list of ProviderTokenExchangeScopePermissions +type ProviderTokenExchangeScopePermissionList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ProviderTokenExchangeScopePermission `json:"items"` +} + +// Repository type metadata. +var ( + ProviderTokenExchangeScopePermission_Kind = "ProviderTokenExchangeScopePermission" + ProviderTokenExchangeScopePermission_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: ProviderTokenExchangeScopePermission_Kind}.String() + ProviderTokenExchangeScopePermission_KindAPIVersion = ProviderTokenExchangeScopePermission_Kind + "." + CRDGroupVersion.String() + ProviderTokenExchangeScopePermission_GroupVersionKind = CRDGroupVersion.WithKind(ProviderTokenExchangeScopePermission_Kind) +) + +func init() { + SchemeBuilder.Register(&ProviderTokenExchangeScopePermission{}, &ProviderTokenExchangeScopePermissionList{}) +} diff --git a/apis/namespaced/identityprovider/v1alpha1/zz_generated.conversion_hubs.go b/apis/namespaced/identityprovider/v1alpha1/zz_generated.conversion_hubs.go index 79ae961b..92930803 100755 --- a/apis/namespaced/identityprovider/v1alpha1/zz_generated.conversion_hubs.go +++ b/apis/namespaced/identityprovider/v1alpha1/zz_generated.conversion_hubs.go @@ -8,3 +8,6 @@ package v1alpha1 // Hub marks this type as a conversion hub. func (tr *IdentityProviderMapper) Hub() {} + +// Hub marks this type as a conversion hub. +func (tr *ProviderTokenExchangeScopePermission) Hub() {} diff --git a/apis/namespaced/identityprovider/v1alpha1/zz_generated.deepcopy.go b/apis/namespaced/identityprovider/v1alpha1/zz_generated.deepcopy.go index 01b97172..1663409d 100644 --- a/apis/namespaced/identityprovider/v1alpha1/zz_generated.deepcopy.go +++ b/apis/namespaced/identityprovider/v1alpha1/zz_generated.deepcopy.go @@ -284,3 +284,309 @@ func (in *IdentityProviderMapperStatus) DeepCopy() *IdentityProviderMapperStatus in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermission) DeepCopyInto(out *ProviderTokenExchangeScopePermission) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermission. +func (in *ProviderTokenExchangeScopePermission) DeepCopy() *ProviderTokenExchangeScopePermission { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermission) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ProviderTokenExchangeScopePermission) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionInitParameters) DeepCopyInto(out *ProviderTokenExchangeScopePermissionInitParameters) { + *out = *in + if in.Clients != nil { + in, out := &in.Clients, &out.Clients + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.ClientsRefs != nil { + in, out := &in.ClientsRefs, &out.ClientsRefs + *out = make([]v1.NamespacedReference, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ClientsSelector != nil { + in, out := &in.ClientsSelector, &out.ClientsSelector + *out = new(v1.NamespacedSelector) + (*in).DeepCopyInto(*out) + } + if in.PolicyType != nil { + in, out := &in.PolicyType, &out.PolicyType + *out = new(string) + **out = **in + } + if in.ProviderAlias != nil { + in, out := &in.ProviderAlias, &out.ProviderAlias + *out = new(string) + **out = **in + } + if in.ProviderAliasRef != nil { + in, out := &in.ProviderAliasRef, &out.ProviderAliasRef + *out = new(v1.NamespacedReference) + (*in).DeepCopyInto(*out) + } + if in.ProviderAliasSelector != nil { + in, out := &in.ProviderAliasSelector, &out.ProviderAliasSelector + *out = new(v1.NamespacedSelector) + (*in).DeepCopyInto(*out) + } + if in.RealmID != nil { + in, out := &in.RealmID, &out.RealmID + *out = new(string) + **out = **in + } + if in.RealmIDRef != nil { + in, out := &in.RealmIDRef, &out.RealmIDRef + *out = new(v1.NamespacedReference) + (*in).DeepCopyInto(*out) + } + if in.RealmIDSelector != nil { + in, out := &in.RealmIDSelector, &out.RealmIDSelector + *out = new(v1.NamespacedSelector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionInitParameters. +func (in *ProviderTokenExchangeScopePermissionInitParameters) DeepCopy() *ProviderTokenExchangeScopePermissionInitParameters { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionList) DeepCopyInto(out *ProviderTokenExchangeScopePermissionList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ProviderTokenExchangeScopePermission, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionList. +func (in *ProviderTokenExchangeScopePermissionList) DeepCopy() *ProviderTokenExchangeScopePermissionList { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ProviderTokenExchangeScopePermissionList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionObservation) DeepCopyInto(out *ProviderTokenExchangeScopePermissionObservation) { + *out = *in + if in.AuthorizationIdpResourceID != nil { + in, out := &in.AuthorizationIdpResourceID, &out.AuthorizationIdpResourceID + *out = new(string) + **out = **in + } + if in.AuthorizationResourceServerID != nil { + in, out := &in.AuthorizationResourceServerID, &out.AuthorizationResourceServerID + *out = new(string) + **out = **in + } + if in.AuthorizationTokenExchangeScopePermissionID != nil { + in, out := &in.AuthorizationTokenExchangeScopePermissionID, &out.AuthorizationTokenExchangeScopePermissionID + *out = new(string) + **out = **in + } + if in.Clients != nil { + in, out := &in.Clients, &out.Clients + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.PolicyID != nil { + in, out := &in.PolicyID, &out.PolicyID + *out = new(string) + **out = **in + } + if in.PolicyType != nil { + in, out := &in.PolicyType, &out.PolicyType + *out = new(string) + **out = **in + } + if in.ProviderAlias != nil { + in, out := &in.ProviderAlias, &out.ProviderAlias + *out = new(string) + **out = **in + } + if in.RealmID != nil { + in, out := &in.RealmID, &out.RealmID + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionObservation. +func (in *ProviderTokenExchangeScopePermissionObservation) DeepCopy() *ProviderTokenExchangeScopePermissionObservation { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionParameters) DeepCopyInto(out *ProviderTokenExchangeScopePermissionParameters) { + *out = *in + if in.Clients != nil { + in, out := &in.Clients, &out.Clients + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.ClientsRefs != nil { + in, out := &in.ClientsRefs, &out.ClientsRefs + *out = make([]v1.NamespacedReference, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ClientsSelector != nil { + in, out := &in.ClientsSelector, &out.ClientsSelector + *out = new(v1.NamespacedSelector) + (*in).DeepCopyInto(*out) + } + if in.PolicyType != nil { + in, out := &in.PolicyType, &out.PolicyType + *out = new(string) + **out = **in + } + if in.ProviderAlias != nil { + in, out := &in.ProviderAlias, &out.ProviderAlias + *out = new(string) + **out = **in + } + if in.ProviderAliasRef != nil { + in, out := &in.ProviderAliasRef, &out.ProviderAliasRef + *out = new(v1.NamespacedReference) + (*in).DeepCopyInto(*out) + } + if in.ProviderAliasSelector != nil { + in, out := &in.ProviderAliasSelector, &out.ProviderAliasSelector + *out = new(v1.NamespacedSelector) + (*in).DeepCopyInto(*out) + } + if in.RealmID != nil { + in, out := &in.RealmID, &out.RealmID + *out = new(string) + **out = **in + } + if in.RealmIDRef != nil { + in, out := &in.RealmIDRef, &out.RealmIDRef + *out = new(v1.NamespacedReference) + (*in).DeepCopyInto(*out) + } + if in.RealmIDSelector != nil { + in, out := &in.RealmIDSelector, &out.RealmIDSelector + *out = new(v1.NamespacedSelector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionParameters. +func (in *ProviderTokenExchangeScopePermissionParameters) DeepCopy() *ProviderTokenExchangeScopePermissionParameters { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionSpec) DeepCopyInto(out *ProviderTokenExchangeScopePermissionSpec) { + *out = *in + in.ManagedResourceSpec.DeepCopyInto(&out.ManagedResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) + in.InitProvider.DeepCopyInto(&out.InitProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionSpec. +func (in *ProviderTokenExchangeScopePermissionSpec) DeepCopy() *ProviderTokenExchangeScopePermissionSpec { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProviderTokenExchangeScopePermissionStatus) DeepCopyInto(out *ProviderTokenExchangeScopePermissionStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderTokenExchangeScopePermissionStatus. +func (in *ProviderTokenExchangeScopePermissionStatus) DeepCopy() *ProviderTokenExchangeScopePermissionStatus { + if in == nil { + return nil + } + out := new(ProviderTokenExchangeScopePermissionStatus) + in.DeepCopyInto(out) + return out +} diff --git a/apis/namespaced/identityprovider/v1alpha1/zz_generated.managed.go b/apis/namespaced/identityprovider/v1alpha1/zz_generated.managed.go index a82782b8..78d3f1f9 100644 --- a/apis/namespaced/identityprovider/v1alpha1/zz_generated.managed.go +++ b/apis/namespaced/identityprovider/v1alpha1/zz_generated.managed.go @@ -46,3 +46,43 @@ func (mg *IdentityProviderMapper) SetProviderConfigReference(r *xpv1.ProviderCon func (mg *IdentityProviderMapper) SetWriteConnectionSecretToReference(r *xpv1.LocalSecretReference) { mg.Spec.WriteConnectionSecretToReference = r } + +// GetCondition of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetManagementPolicies of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetProviderConfigReference() *xpv1.ProviderConfigReference { + return mg.Spec.ProviderConfigReference +} + +// GetWriteConnectionSecretToReference of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) GetWriteConnectionSecretToReference() *xpv1.LocalSecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetManagementPolicies of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetProviderConfigReference(r *xpv1.ProviderConfigReference) { + mg.Spec.ProviderConfigReference = r +} + +// SetWriteConnectionSecretToReference of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) SetWriteConnectionSecretToReference(r *xpv1.LocalSecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/namespaced/identityprovider/v1alpha1/zz_generated.managedlist.go b/apis/namespaced/identityprovider/v1alpha1/zz_generated.managedlist.go index 325295b1..a0f0f8bf 100644 --- a/apis/namespaced/identityprovider/v1alpha1/zz_generated.managedlist.go +++ b/apis/namespaced/identityprovider/v1alpha1/zz_generated.managedlist.go @@ -15,3 +15,12 @@ func (l *IdentityProviderMapperList) GetItems() []resource.Managed { } return items } + +// GetItems of this ProviderTokenExchangeScopePermissionList. +func (l *ProviderTokenExchangeScopePermissionList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/apis/namespaced/identityprovider/v1alpha1/zz_generated.resolvers.go b/apis/namespaced/identityprovider/v1alpha1/zz_generated.resolvers.go index f13e356e..aed37c3e 100644 --- a/apis/namespaced/identityprovider/v1alpha1/zz_generated.resolvers.go +++ b/apis/namespaced/identityprovider/v1alpha1/zz_generated.resolvers.go @@ -8,6 +8,7 @@ package v1alpha1 import ( "context" + common "github.com/crossplane-contrib/provider-keycloak/config/common" apisresolver "github.com/crossplane-contrib/provider-keycloak/internal/apis" reference "github.com/crossplane/crossplane-runtime/v2/pkg/reference" xpresource "github.com/crossplane/crossplane-runtime/v2/pkg/resource" @@ -66,3 +67,136 @@ func (mg *IdentityProviderMapper) ResolveReferences( // ResolveReferences of thi return nil } + +// ResolveReferences of this ProviderTokenExchangeScopePermission. +func (mg *ProviderTokenExchangeScopePermission) ResolveReferences(ctx context.Context, c client.Reader) error { + var m xpresource.Managed + var l xpresource.ManagedList + r := reference.NewAPINamespacedResolver(c, mg) + + var rsp reference.NamespacedResolutionResponse + var mrsp reference.MultiNamespacedResolutionResponse + var err error + { + m, l, err = apisresolver.GetManagedResource("openidclient.keycloak.m.crossplane.io", "v1alpha1", "Client", "ClientList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + mrsp, err = r.ResolveMultiple(ctx, reference.MultiNamespacedResolutionRequest{ + CurrentValues: reference.FromPtrValues(mg.Spec.ForProvider.Clients), + Extract: common.UUIDExtractor(), + Namespace: mg.GetNamespace(), + References: mg.Spec.ForProvider.ClientsRefs, + Selector: mg.Spec.ForProvider.ClientsSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Clients") + } + mg.Spec.ForProvider.Clients = reference.ToPtrValues(mrsp.ResolvedValues) + mg.Spec.ForProvider.ClientsRefs = mrsp.ResolvedReferences + { + m, l, err = apisresolver.GetManagedResource("oidc.keycloak.m.crossplane.io", "v1alpha1", "IdentityProvider", "IdentityProviderList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.NamespacedResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.ProviderAlias), + Extract: common.IdentityProviderAliasExtractor(), + Namespace: mg.GetNamespace(), + Reference: mg.Spec.ForProvider.ProviderAliasRef, + Selector: mg.Spec.ForProvider.ProviderAliasSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.ProviderAlias") + } + mg.Spec.ForProvider.ProviderAlias = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.ProviderAliasRef = rsp.ResolvedReference + { + m, l, err = apisresolver.GetManagedResource("realm.keycloak.m.crossplane.io", "v1alpha1", "Realm", "RealmList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.NamespacedResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.RealmID), + Extract: reference.ExternalName(), + Namespace: mg.GetNamespace(), + Reference: mg.Spec.ForProvider.RealmIDRef, + Selector: mg.Spec.ForProvider.RealmIDSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.RealmID") + } + mg.Spec.ForProvider.RealmID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.RealmIDRef = rsp.ResolvedReference + { + m, l, err = apisresolver.GetManagedResource("openidclient.keycloak.m.crossplane.io", "v1alpha1", "Client", "ClientList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + mrsp, err = r.ResolveMultiple(ctx, reference.MultiNamespacedResolutionRequest{ + CurrentValues: reference.FromPtrValues(mg.Spec.InitProvider.Clients), + Extract: common.UUIDExtractor(), + Namespace: mg.GetNamespace(), + References: mg.Spec.InitProvider.ClientsRefs, + Selector: mg.Spec.InitProvider.ClientsSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.Clients") + } + mg.Spec.InitProvider.Clients = reference.ToPtrValues(mrsp.ResolvedValues) + mg.Spec.InitProvider.ClientsRefs = mrsp.ResolvedReferences + { + m, l, err = apisresolver.GetManagedResource("oidc.keycloak.m.crossplane.io", "v1alpha1", "IdentityProvider", "IdentityProviderList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.NamespacedResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.ProviderAlias), + Extract: common.IdentityProviderAliasExtractor(), + Namespace: mg.GetNamespace(), + Reference: mg.Spec.InitProvider.ProviderAliasRef, + Selector: mg.Spec.InitProvider.ProviderAliasSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.ProviderAlias") + } + mg.Spec.InitProvider.ProviderAlias = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.ProviderAliasRef = rsp.ResolvedReference + { + m, l, err = apisresolver.GetManagedResource("realm.keycloak.m.crossplane.io", "v1alpha1", "Realm", "RealmList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.NamespacedResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.InitProvider.RealmID), + Extract: reference.ExternalName(), + Namespace: mg.GetNamespace(), + Reference: mg.Spec.InitProvider.RealmIDRef, + Selector: mg.Spec.InitProvider.RealmIDSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.InitProvider.RealmID") + } + mg.Spec.InitProvider.RealmID = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.InitProvider.RealmIDRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/namespaced/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_terraformed.go b/apis/namespaced/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_terraformed.go new file mode 100755 index 00000000..e15f4064 --- /dev/null +++ b/apis/namespaced/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_terraformed.go @@ -0,0 +1,129 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/v2/pkg/resource" + "github.com/crossplane/upjet/v2/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this ProviderTokenExchangeScopePermission +func (mg *ProviderTokenExchangeScopePermission) GetTerraformResourceType() string { + return "keycloak_identity_provider_token_exchange_scope_permission" +} + +// GetConnectionDetailsMapping for this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this ProviderTokenExchangeScopePermission +func (tr *ProviderTokenExchangeScopePermission) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource \"%s/%s\"", tr.GetNamespace(), tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource \"%s/%s\"", tr.GetNamespace(), tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource \"%s/%s\"", tr.GetNamespace(), tr.GetName()) + } + + return params, nil +} + +// LateInitialize this ProviderTokenExchangeScopePermission using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *ProviderTokenExchangeScopePermission) LateInitialize(attrs []byte) (bool, error) { + params := &ProviderTokenExchangeScopePermissionParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *ProviderTokenExchangeScopePermission) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/namespaced/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_types.go b/apis/namespaced/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_types.go new file mode 100755 index 00000000..aee64f74 --- /dev/null +++ b/apis/namespaced/identityprovider/v1alpha1/zz_providertokenexchangescopepermission_types.go @@ -0,0 +1,210 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/v2/apis/common/v1" + v2 "github.com/crossplane/crossplane-runtime/v2/apis/common/v2" +) + +type ProviderTokenExchangeScopePermissionInitParameters struct { + + // A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + // Ids of the clients for which a policy will be created and set on scope based token exchange permission + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/namespaced/openidclient/v1alpha1.Client + // +crossplane:generate:reference:extractor=github.com/crossplane-contrib/provider-keycloak/config/common.UUIDExtractor() + // +listType=set + Clients []*string `json:"clients,omitempty" tf:"clients,omitempty"` + + // References to Client in openidclient to populate clients. + // +kubebuilder:validation:Optional + ClientsRefs []v1.NamespacedReference `json:"clientsRefs,omitempty" tf:"-"` + + // Selector for a list of Client in openidclient to populate clients. + // +kubebuilder:validation:Optional + ClientsSelector *v1.NamespacedSelector `json:"clientsSelector,omitempty" tf:"-"` + + // Defaults to "client" This is also the only value policy type supported by this provider. + // Type of policy that is created. At the moment only 'client' type is supported + PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"` + + // Alias of the identity provider. + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/namespaced/oidc/v1alpha1.IdentityProvider + // +crossplane:generate:reference:extractor=github.com/crossplane-contrib/provider-keycloak/config/common.IdentityProviderAliasExtractor() + ProviderAlias *string `json:"providerAlias,omitempty" tf:"provider_alias,omitempty"` + + // Reference to a IdentityProvider in oidc to populate providerAlias. + // +kubebuilder:validation:Optional + ProviderAliasRef *v1.NamespacedReference `json:"providerAliasRef,omitempty" tf:"-"` + + // Selector for a IdentityProvider in oidc to populate providerAlias. + // +kubebuilder:validation:Optional + ProviderAliasSelector *v1.NamespacedSelector `json:"providerAliasSelector,omitempty" tf:"-"` + + // The realm that the identity provider exists in. + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/namespaced/realm/v1alpha1.Realm + RealmID *string `json:"realmId,omitempty" tf:"realm_id,omitempty"` + + // Reference to a Realm in realm to populate realmId. + // +kubebuilder:validation:Optional + RealmIDRef *v1.NamespacedReference `json:"realmIdRef,omitempty" tf:"-"` + + // Selector for a Realm in realm to populate realmId. + // +kubebuilder:validation:Optional + RealmIDSelector *v1.NamespacedSelector `json:"realmIdSelector,omitempty" tf:"-"` +} + +type ProviderTokenExchangeScopePermissionObservation struct { + + // (Computed) Resource ID representing the identity provider, this automatically created by keycloak. + // Resource id representing the identity provider, this automatically created by keycloak + AuthorizationIdpResourceID *string `json:"authorizationIdpResourceId,omitempty" tf:"authorization_idp_resource_id,omitempty"` + + // (Computed) Resource server ID representing the realm management client on which this permission is managed. + // Resource server id representing the realm management client on which this permission is managed + AuthorizationResourceServerID *string `json:"authorizationResourceServerId,omitempty" tf:"authorization_resource_server_id,omitempty"` + + // (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission. + // Permission id representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy id will be set on this permission + AuthorizationTokenExchangeScopePermissionID *string `json:"authorizationTokenExchangeScopePermissionId,omitempty" tf:"authorization_token_exchange_scope_permission_id,omitempty"` + + // A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + // Ids of the clients for which a policy will be created and set on scope based token exchange permission + // +listType=set + Clients []*string `json:"clients,omitempty" tf:"clients,omitempty"` + + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider. + // Policy id that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider + PolicyID *string `json:"policyId,omitempty" tf:"policy_id,omitempty"` + + // Defaults to "client" This is also the only value policy type supported by this provider. + // Type of policy that is created. At the moment only 'client' type is supported + PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"` + + // Alias of the identity provider. + ProviderAlias *string `json:"providerAlias,omitempty" tf:"provider_alias,omitempty"` + + // The realm that the identity provider exists in. + RealmID *string `json:"realmId,omitempty" tf:"realm_id,omitempty"` +} + +type ProviderTokenExchangeScopePermissionParameters struct { + + // A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + // Ids of the clients for which a policy will be created and set on scope based token exchange permission + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/namespaced/openidclient/v1alpha1.Client + // +crossplane:generate:reference:extractor=github.com/crossplane-contrib/provider-keycloak/config/common.UUIDExtractor() + // +kubebuilder:validation:Optional + // +listType=set + Clients []*string `json:"clients,omitempty" tf:"clients,omitempty"` + + // References to Client in openidclient to populate clients. + // +kubebuilder:validation:Optional + ClientsRefs []v1.NamespacedReference `json:"clientsRefs,omitempty" tf:"-"` + + // Selector for a list of Client in openidclient to populate clients. + // +kubebuilder:validation:Optional + ClientsSelector *v1.NamespacedSelector `json:"clientsSelector,omitempty" tf:"-"` + + // Defaults to "client" This is also the only value policy type supported by this provider. + // Type of policy that is created. At the moment only 'client' type is supported + // +kubebuilder:validation:Optional + PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"` + + // Alias of the identity provider. + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/namespaced/oidc/v1alpha1.IdentityProvider + // +crossplane:generate:reference:extractor=github.com/crossplane-contrib/provider-keycloak/config/common.IdentityProviderAliasExtractor() + // +kubebuilder:validation:Optional + ProviderAlias *string `json:"providerAlias,omitempty" tf:"provider_alias,omitempty"` + + // Reference to a IdentityProvider in oidc to populate providerAlias. + // +kubebuilder:validation:Optional + ProviderAliasRef *v1.NamespacedReference `json:"providerAliasRef,omitempty" tf:"-"` + + // Selector for a IdentityProvider in oidc to populate providerAlias. + // +kubebuilder:validation:Optional + ProviderAliasSelector *v1.NamespacedSelector `json:"providerAliasSelector,omitempty" tf:"-"` + + // The realm that the identity provider exists in. + // +crossplane:generate:reference:type=github.com/crossplane-contrib/provider-keycloak/apis/namespaced/realm/v1alpha1.Realm + // +kubebuilder:validation:Optional + RealmID *string `json:"realmId,omitempty" tf:"realm_id,omitempty"` + + // Reference to a Realm in realm to populate realmId. + // +kubebuilder:validation:Optional + RealmIDRef *v1.NamespacedReference `json:"realmIdRef,omitempty" tf:"-"` + + // Selector for a Realm in realm to populate realmId. + // +kubebuilder:validation:Optional + RealmIDSelector *v1.NamespacedSelector `json:"realmIdSelector,omitempty" tf:"-"` +} + +// ProviderTokenExchangeScopePermissionSpec defines the desired state of ProviderTokenExchangeScopePermission +type ProviderTokenExchangeScopePermissionSpec struct { + v2.ManagedResourceSpec `json:",inline"` + ForProvider ProviderTokenExchangeScopePermissionParameters `json:"forProvider"` + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. + // InitProvider holds the same fields as ForProvider, with the exception + // of Identifier and other resource reference fields. The fields that are + // in InitProvider are merged into ForProvider when the resource is created. + // The same fields are also added to the terraform ignore_changes hook, to + // avoid updating them after creation. This is useful for fields that are + // required on creation, but we do not desire to update them after creation, + // for example because of an external controller is managing them, like an + // autoscaler. + InitProvider ProviderTokenExchangeScopePermissionInitParameters `json:"initProvider,omitempty"` +} + +// ProviderTokenExchangeScopePermissionStatus defines the observed state of ProviderTokenExchangeScopePermission. +type ProviderTokenExchangeScopePermissionStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider ProviderTokenExchangeScopePermissionObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// ProviderTokenExchangeScopePermission is the Schema for the ProviderTokenExchangeScopePermissions API. +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:scope=Namespaced,categories={crossplane,managed,keycloak} +type ProviderTokenExchangeScopePermission struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec ProviderTokenExchangeScopePermissionSpec `json:"spec"` + Status ProviderTokenExchangeScopePermissionStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// ProviderTokenExchangeScopePermissionList contains a list of ProviderTokenExchangeScopePermissions +type ProviderTokenExchangeScopePermissionList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []ProviderTokenExchangeScopePermission `json:"items"` +} + +// Repository type metadata. +var ( + ProviderTokenExchangeScopePermission_Kind = "ProviderTokenExchangeScopePermission" + ProviderTokenExchangeScopePermission_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: ProviderTokenExchangeScopePermission_Kind}.String() + ProviderTokenExchangeScopePermission_KindAPIVersion = ProviderTokenExchangeScopePermission_Kind + "." + CRDGroupVersion.String() + ProviderTokenExchangeScopePermission_GroupVersionKind = CRDGroupVersion.WithKind(ProviderTokenExchangeScopePermission_Kind) +) + +func init() { + SchemeBuilder.Register(&ProviderTokenExchangeScopePermission{}, &ProviderTokenExchangeScopePermissionList{}) +} diff --git a/cluster/test/cases.txt b/cluster/test/cases.txt index a442263f..ea2a75d8 100644 --- a/cluster/test/cases.txt +++ b/cluster/test/cases.txt @@ -21,6 +21,8 @@ # ./dev/demos/namespaced/062-saml-client-default-scopes.yaml --> waiting for https://github.com/keycloak/terraform-provider-keycloak/issues/1395 ./dev/demos/namespaced/061-saml-client-scopes.yaml ./dev/demos/namespaced/060-saml-client.yaml +./dev/demos/namespaced/055-identity-provider-token-exchange.yaml +./dev/demos/namespaced/054-identity-provider-token-exchange-idp.yaml ./dev/demos/namespaced/053-google-identity-provider.yaml ./dev/demos/namespaced/052-identity-provider-mapper.yaml ./dev/demos/namespaced/051-saml-identity-provider.yaml @@ -70,6 +72,8 @@ #./dev/demos/basic/062-saml-client-default-scopes.yaml --> waiting for https://github.com/keycloak/terraform-provider-keycloak/issues/1395 ./dev/demos/basic/061-saml-client-scopes.yaml ./dev/demos/basic/060-saml-client.yaml +./dev/demos/basic/055-identity-provider-token-exchange.yaml +./dev/demos/basic/054-identity-provider-token-exchange-idp.yaml ./dev/demos/basic/053-google-identity-provider.yaml ./dev/demos/basic/052-identity-provider-mapper.yaml ./dev/demos/basic/051-saml-identity-provider.yaml diff --git a/config/common/common.go b/config/common/common.go index 260759d5..ea620639 100644 --- a/config/common/common.go +++ b/config/common/common.go @@ -21,6 +21,12 @@ const ( // PathAuthenticationFlowOrSubflowAliasExtractor is the golang path to extractor function // that can handle both Flow and Subflow resources PathAuthenticationFlowOrSubflowAliasExtractor = SelfPackagePath + ".AuthenticationFlowOrSubflowAliasExtractor()" + // PathIdentityProviderAliasExtractor is the golang path to IdentityProviderAliasExtractor function + // in this package. + PathIdentityProviderAliasExtractor = SelfPackagePath + ".IdentityProviderAliasExtractor()" + // PathAliasExtractor is the golang path to the generic AliasExtractor function + // in this package. + PathAliasExtractor = SelfPackagePath + ".AliasExtractor()" // PathUUIDExtractor is the golang path to UUIDExtractor function PathUUIDExtractor = SelfPackagePath + ".UUIDExtractor()" ) @@ -42,8 +48,9 @@ func ServiceAccountRoleIDExtractor() reference.ExtractValueFn { } } -// AuthenticationFlowAliasExtractor extract Alias from AuthenticationFlow Ref -func AuthenticationFlowAliasExtractor() reference.ExtractValueFn { +// AliasExtractor is a generic extractor that extracts the alias field from status.atProvider. +// This is used by multiple resource types that have an "alias" field. +func AliasExtractor() reference.ExtractValueFn { return func(mg xpresource.Managed) string { paved, err := fieldpath.PaveObject(mg) if err != nil { @@ -60,12 +67,20 @@ func AuthenticationFlowAliasExtractor() reference.ExtractValueFn { } } +// AuthenticationFlowAliasExtractor extracts Alias from AuthenticationFlow Ref +func AuthenticationFlowAliasExtractor() reference.ExtractValueFn { + return AliasExtractor() +} + // AuthenticationFlowOrSubflowAliasExtractor extracts Alias from either AuthenticationFlow or Subflow Ref // Both Flow and Subflow resources have an "alias" field in status.atProvider func AuthenticationFlowOrSubflowAliasExtractor() reference.ExtractValueFn { - // Both Flow and Subflow use the same alias field structure, - // so we can use the same extraction logic - return AuthenticationFlowAliasExtractor() + return AliasExtractor() +} + +// IdentityProviderAliasExtractor extracts Alias from IdentityProvider Ref +func IdentityProviderAliasExtractor() reference.ExtractValueFn { + return AliasExtractor() } // UUIDExtractor returns a reference.ExtractValueFn that can be used to extract the UUID from a managed resource. diff --git a/config/external_name.go b/config/external_name.go index 6d77151c..2138d095 100644 --- a/config/external_name.go +++ b/config/external_name.go @@ -26,65 +26,66 @@ import ( // provider. var ExternalNameConfigs = map[string]config.ExternalName{ // Import requires using a randomly generated ID from provider: nl-2e21sda - "keycloak_generic_protocol_mapper": mapper.ProtocolMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_generic_role_mapper": config.IdentifierFromProvider, // {realm}/client|client-scope/{Client.UUid}/scope-mappings/{Client.UUid}/{Group.UUid} - "keycloak_group_memberships": config.IdentifierFromProvider, // {realm}/group-memberships/{Group.UUid} - "keycloak_group_permissions": config.IdentifierFromProvider, // {realm}/{Group.UUid} - "keycloak_group_roles": config.IdentifierFromProvider, // {realm}/{Group.UUid} - "keycloak_group": group.GroupIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_openid_client_client_policy": openidclient.AuthzClientPoliciesIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_openid_client_group_policy": openidclient.AuthzGroupPoliciesIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_openid_client_permissions": config.IdentifierFromProvider, // {realm}/{Client.UUid} - "keycloak_openid_client_role_policy": openidclient.AuthzRolePoliciesIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_openid_client_user_policy": openidclient.AuthzUserPoliciesIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_openid_client_default_scopes": config.IdentifierFromProvider, // {realm}/{Client.UUid} - "keycloak_openid_client_optional_scopes": config.IdentifierFromProvider, // {realm}/{Client.UUid} - "keycloak_openid_client_scope": openidclient.ClientScopeIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_openid_client": openidclient.ClientIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_openid_client_authorization_resource": config.IdentifierFromProvider, // {realm}/{Client.UUid} - "keycloak_openid_client_authorization_permission": config.IdentifierFromProvider, // {realm}/{Client.UUid} - "keycloak_openid_group_membership_protocol_mapper": openidgroup.IdentifierFromIdentifyingProperties, // {UUid} - "keycloak_openid_client_service_account_realm_role": config.IdentifierFromProvider, // {serviceAccountUserId.UUid}/{role.UUid} - "keycloak_openid_client_service_account_role": config.IdentifierFromProvider, // {serviceAccountUserId.UUid}/{role.UUid} - "keycloak_organization": config.IdentifierFromProvider, // {UUid} - "keycloak_realm": realm.RealmIdentifierFromIdentifyingProperties, // {realm} - "keycloak_required_action": config.IdentifierFromProvider, // {realm}/{alias} - "keycloak_role": role.IdentifierFromIdentifyingProperties, // {UUid} - "keycloak_user_groups": config.IdentifierFromProvider, // {realm}/{User.UUid} - "keycloak_user_roles": config.IdentifierFromProvider, // {realm}/{User.UUid} - "keycloak_users_permissions": config.IdentifierFromProvider, // {realm} - "keycloak_user": user.UserIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_custom_user_federation": config.IdentifierFromProvider, // ??? - "keycloak_oidc_identity_provider": oidc.IdentifierFromIdentifyingProperties, // {alias} - "keycloak_oidc_google_identity_provider": oidc.IdentifierFromIdentifyingProperties, // {alias} - "keycloak_saml_identity_provider": saml.IdentifierFromIdentifyingProperties, // {alias} - "keycloak_custom_identity_provider_mapper": identityprovider.IdentifierFromIdentifyingProperties, // {UUid} - "keycloak_saml_client": samlclient.ClientIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_saml_client_default_scopes": config.IdentifierFromProvider, // {realm}/{Client.UUid} - "keycloak_saml_client_scope": samlclient.ClientScopeIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_realm_keystore_rsa": realm.KeystoreRsaIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_realm_user_profile": config.IdentifierFromProvider, // {realm} - "keycloak_realm_default_client_scopes": config.IdentifierFromProvider, // {realm} - "keycloak_realm_optional_client_scopes": config.IdentifierFromProvider, // {realm} - "keycloak_realm_events": realm.EventsRealmIdentifierFromIdentifyingProperties, // {realm} - "keycloak_authentication_flow": authentication.FlowIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_authentication_subflow": authentication.SubFlowIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_authentication_execution": authentication.ExecutionIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_authentication_execution_config": authentication.ExecutionConfigIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_authentication_bindings": config.IdentifierFromProvider, // {realm} - "keycloak_default_roles": config.IdentifierFromProvider, // {UUid} - "keycloak_default_groups": config.IdentifierFromProvider, // {realm}/default-groups - "keycloak_ldap_user_federation": ldap.UserFederationIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_user_attribute_mapper": ldap.UserAttributeMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_role_mapper": ldap.RoleMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_group_mapper": ldap.GroupMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_hardcoded_role_mapper": ldap.HardcodedRoleMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_hardcoded_group_mapper": ldap.HardcodedGroupMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_msad_user_account_control_mapper": ldap.MsadUserAccountControlMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_msad_lds_user_account_control_mapper": ldap.MsadLdsUserAccountControlMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_hardcoded_attribute_mapper": ldap.HardcodedAttributeMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_full_name_mapper": ldap.FullNameMapperIdentifierFromIdentifyingProperties, // {UUid} - "keycloak_ldap_custom_mapper": ldap.CustomMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_generic_protocol_mapper": mapper.ProtocolMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_generic_role_mapper": config.IdentifierFromProvider, // {realm}/client|client-scope/{Client.UUid}/scope-mappings/{Client.UUid}/{Group.UUid} + "keycloak_group_memberships": config.IdentifierFromProvider, // {realm}/group-memberships/{Group.UUid} + "keycloak_group_permissions": config.IdentifierFromProvider, // {realm}/{Group.UUid} + "keycloak_group_roles": config.IdentifierFromProvider, // {realm}/{Group.UUid} + "keycloak_group": group.GroupIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_openid_client_client_policy": openidclient.AuthzClientPoliciesIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_openid_client_group_policy": openidclient.AuthzGroupPoliciesIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_openid_client_permissions": config.IdentifierFromProvider, // {realm}/{Client.UUid} + "keycloak_openid_client_role_policy": openidclient.AuthzRolePoliciesIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_openid_client_user_policy": openidclient.AuthzUserPoliciesIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_openid_client_default_scopes": config.IdentifierFromProvider, // {realm}/{Client.UUid} + "keycloak_openid_client_optional_scopes": config.IdentifierFromProvider, // {realm}/{Client.UUid} + "keycloak_openid_client_scope": openidclient.ClientScopeIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_openid_client": openidclient.ClientIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_openid_client_authorization_resource": config.IdentifierFromProvider, // {realm}/{Client.UUid} + "keycloak_openid_client_authorization_permission": config.IdentifierFromProvider, // {realm}/{Client.UUid} + "keycloak_openid_group_membership_protocol_mapper": openidgroup.IdentifierFromIdentifyingProperties, // {UUid} + "keycloak_openid_client_service_account_realm_role": config.IdentifierFromProvider, // {serviceAccountUserId.UUid}/{role.UUid} + "keycloak_openid_client_service_account_role": config.IdentifierFromProvider, // {serviceAccountUserId.UUid}/{role.UUid} + "keycloak_organization": config.IdentifierFromProvider, // {UUid} + "keycloak_realm": realm.RealmIdentifierFromIdentifyingProperties, // {realm} + "keycloak_required_action": config.IdentifierFromProvider, // {realm}/{alias} + "keycloak_role": role.IdentifierFromIdentifyingProperties, // {UUid} + "keycloak_user_groups": config.IdentifierFromProvider, // {realm}/{User.UUid} + "keycloak_user_roles": config.IdentifierFromProvider, // {realm}/{User.UUid} + "keycloak_users_permissions": config.IdentifierFromProvider, // {realm} + "keycloak_user": user.UserIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_custom_user_federation": config.IdentifierFromProvider, // ??? + "keycloak_oidc_identity_provider": oidc.IdentifierFromIdentifyingProperties, // {alias} + "keycloak_oidc_google_identity_provider": oidc.IdentifierFromIdentifyingProperties, // {alias} + "keycloak_saml_identity_provider": saml.IdentifierFromIdentifyingProperties, // {alias} + "keycloak_custom_identity_provider_mapper": identityprovider.IdentifierFromIdentifyingProperties, // {UUid} + "keycloak_identity_provider_token_exchange_scope_permission": config.IdentifierFromProvider, // {realm}/{provider_alias} + "keycloak_saml_client": samlclient.ClientIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_saml_client_default_scopes": config.IdentifierFromProvider, // {realm}/{Client.UUid} + "keycloak_saml_client_scope": samlclient.ClientScopeIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_realm_keystore_rsa": realm.KeystoreRsaIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_realm_user_profile": config.IdentifierFromProvider, // {realm} + "keycloak_realm_default_client_scopes": config.IdentifierFromProvider, // {realm} + "keycloak_realm_optional_client_scopes": config.IdentifierFromProvider, // {realm} + "keycloak_realm_events": realm.EventsRealmIdentifierFromIdentifyingProperties, // {realm} + "keycloak_authentication_flow": authentication.FlowIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_authentication_subflow": authentication.SubFlowIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_authentication_execution": authentication.ExecutionIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_authentication_execution_config": authentication.ExecutionConfigIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_authentication_bindings": config.IdentifierFromProvider, // {realm} + "keycloak_default_roles": config.IdentifierFromProvider, // {UUid} + "keycloak_default_groups": config.IdentifierFromProvider, // {realm}/default-groups + "keycloak_ldap_user_federation": ldap.UserFederationIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_user_attribute_mapper": ldap.UserAttributeMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_role_mapper": ldap.RoleMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_group_mapper": ldap.GroupMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_hardcoded_role_mapper": ldap.HardcodedRoleMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_hardcoded_group_mapper": ldap.HardcodedGroupMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_msad_user_account_control_mapper": ldap.MsadUserAccountControlMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_msad_lds_user_account_control_mapper": ldap.MsadLdsUserAccountControlMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_hardcoded_attribute_mapper": ldap.HardcodedAttributeMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_full_name_mapper": ldap.FullNameMapperIdentifierFromIdentifyingProperties, // {UUid} + "keycloak_ldap_custom_mapper": ldap.CustomMapperIdentifierFromIdentifyingProperties, // {UUid} } // ExternalNameConfigurations applies all external name configs listed in the diff --git a/config/identityprovider/config.go b/config/identityprovider/config.go index af24e61a..bf34e49b 100644 --- a/config/identityprovider/config.go +++ b/config/identityprovider/config.go @@ -5,6 +5,7 @@ import ( "github.com/crossplane/upjet/v2/pkg/config" + "github.com/crossplane-contrib/provider-keycloak/config/common" "github.com/crossplane-contrib/provider-keycloak/config/lookup" "github.com/keycloak/terraform-provider-keycloak/keycloak" @@ -23,6 +24,18 @@ func Configure(p *config.Provider) { TerraformName: "keycloak_realm", } }) + + p.AddResourceConfigurator("keycloak_identity_provider_token_exchange_scope_permission", func(r *config.Resource) { + r.ShortGroup = Group + r.References["provider_alias"] = config.Reference{ + TerraformName: "keycloak_oidc_identity_provider", + Extractor: common.PathIdentityProviderAliasExtractor, + } + r.References["clients"] = config.Reference{ + TerraformName: "keycloak_openid_client", + Extractor: common.PathUUIDExtractor, + } + }) } var identifyingPropertiesLookup = lookup.IdentifyingPropertiesLookupConfig{ diff --git a/dev/demos/basic/054-identity-provider-token-exchange-idp.yaml b/dev/demos/basic/054-identity-provider-token-exchange-idp.yaml new file mode 100644 index 00000000..a00ba0ba --- /dev/null +++ b/dev/demos/basic/054-identity-provider-token-exchange-idp.yaml @@ -0,0 +1,45 @@ +--- +# OIDC Identity Provider +apiVersion: oidc.keycloak.crossplane.io/v1alpha1 +kind: IdentityProvider +metadata: + name: token-exchange-test-idp +spec: + deletionPolicy: Delete + forProvider: + alias: test-idp + authorizationUrl: https://example.com/auth + clientIdSecretRef: + key: client-id + name: client-secret + namespace: dev + clientSecretSecretRef: + key: client-secret + name: client-secret + namespace: dev + realmRef: + name: dev + policy: + resolve: Always + tokenUrl: https://example.com/token + providerConfigRef: + name: "keycloak-provider-config" +--- +# OpenID Client +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: Client +metadata: + name: token-exchange-test-client +spec: + deletionPolicy: Delete + forProvider: + realmIdRef: + name: dev + policy: + resolve: Always + accessType: "CONFIDENTIAL" + clientId: "token-exchange-test-client" + fullScopeAllowed: false + serviceAccountsEnabled: true + providerConfigRef: + name: "keycloak-provider-config" diff --git a/dev/demos/basic/055-identity-provider-token-exchange.yaml b/dev/demos/basic/055-identity-provider-token-exchange.yaml new file mode 100644 index 00000000..2c0f16f8 --- /dev/null +++ b/dev/demos/basic/055-identity-provider-token-exchange.yaml @@ -0,0 +1,23 @@ +# Token Exchange Scope Permission +apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1 +kind: ProviderTokenExchangeScopePermission +metadata: + name: token-exchange-permission +spec: + deletionPolicy: Delete + forProvider: + clientsRefs: + - name: token-exchange-test-client + policy: + resolve: Always + policyType: client + providerAliasRef: + name: token-exchange-test-idp + policy: + resolve: Always + realmIdRef: + name: dev + policy: + resolve: Always + providerConfigRef: + name: "keycloak-provider-config" diff --git a/dev/demos/namespaced/054-identity-provider-token-exchange-idp.yaml b/dev/demos/namespaced/054-identity-provider-token-exchange-idp.yaml new file mode 100644 index 00000000..8e3fdc57 --- /dev/null +++ b/dev/demos/namespaced/054-identity-provider-token-exchange-idp.yaml @@ -0,0 +1,45 @@ +--- +# OIDC Identity Provider +apiVersion: oidc.keycloak.m.crossplane.io/v1alpha1 +kind: IdentityProvider +metadata: + name: token-exchange-test-idp + namespace: dev-ns +spec: + forProvider: + alias: test-idp + authorizationUrl: https://example.com/auth + clientIdSecretRef: + key: client-id + name: client-secret + clientSecretSecretRef: + key: client-secret + name: client-secret + realmRef: + name: dev-ns + policy: + resolve: Always + tokenUrl: https://example.com/token + providerConfigRef: + name: "keycloak-provider-config" + kind: ProviderConfig +--- +# OpenID Client +apiVersion: openidclient.keycloak.m.crossplane.io/v1alpha1 +kind: Client +metadata: + name: token-exchange-test-client + namespace: dev-ns +spec: + forProvider: + realmIdRef: + name: dev-ns + policy: + resolve: Always + accessType: "CONFIDENTIAL" + clientId: "token-exchange-test-client" + fullScopeAllowed: false + serviceAccountsEnabled: true + providerConfigRef: + name: "keycloak-provider-config" + kind: ProviderConfig diff --git a/dev/demos/namespaced/055-identity-provider-token-exchange.yaml b/dev/demos/namespaced/055-identity-provider-token-exchange.yaml new file mode 100644 index 00000000..89c2d91a --- /dev/null +++ b/dev/demos/namespaced/055-identity-provider-token-exchange.yaml @@ -0,0 +1,24 @@ +# Token Exchange Scope Permission +apiVersion: identityprovider.keycloak.m.crossplane.io/v1alpha1 +kind: ProviderTokenExchangeScopePermission +metadata: + name: token-exchange-permission + namespace: dev-ns +spec: + forProvider: + clientsRefs: + - name: token-exchange-test-client + policy: + resolve: Always + policyType: client + providerAliasRef: + name: token-exchange-test-idp + policy: + resolve: Always + realmIdRef: + name: dev-ns + policy: + resolve: Always + providerConfigRef: + name: "keycloak-provider-config" + kind: ProviderConfig diff --git a/examples-generated/cluster/identityprovider/v1alpha1/providertokenexchangescopepermission.yaml b/examples-generated/cluster/identityprovider/v1alpha1/providertokenexchangescopepermission.yaml new file mode 100644 index 00000000..18b4f6be --- /dev/null +++ b/examples-generated/cluster/identityprovider/v1alpha1/providertokenexchangescopepermission.yaml @@ -0,0 +1,89 @@ +apiVersion: identityprovider.keycloak.crossplane.io/v1alpha1 +kind: ProviderTokenExchangeScopePermission +metadata: + annotations: + meta.upbound.io/example-id: identityprovider/v1alpha1/providertokenexchangescopepermission + labels: + testing.upbound.io/example-name: oidc_idp_permission + name: oidc-idp-permission +spec: + forProvider: + clientsRefs: + - name: token-exchange_webapp_client + policyType: client + providerAliasSelector: + matchLabels: + testing.upbound.io/example-name: token_exchange_my_oidc_idp + realmIdSelector: + matchLabels: + testing.upbound.io/example-name: token_exchange_realm + +--- + +apiVersion: oidc.keycloak.crossplane.io/v1alpha1 +kind: IdentityProvider +metadata: + annotations: + meta.upbound.io/example-id: identityprovider/v1alpha1/providertokenexchangescopepermission + labels: + testing.upbound.io/example-name: token_exchange_my_oidc_idp + name: token-exchange-my-oidc-idp +spec: + forProvider: + alias: myIdp + authorizationUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth + clientIdSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + clientSecretSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + defaultScopes: openid + realmSelector: + matchLabels: + testing.upbound.io/example-name: token_exchange_realm + tokenUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token + +--- + +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: Client +metadata: + annotations: + meta.upbound.io/example-id: identityprovider/v1alpha1/providertokenexchangescopepermission + labels: + testing.upbound.io/example-name: token-exchange_webapp_client + name: token-exchange-webapp-client +spec: + forProvider: + accessType: CONFIDENTIAL + clientId: webapp_client + clientSecretSecretRef: + key: example-key + name: example-secret + namespace: upbound-system + description: a webapp client on the destination realm + name: webapp_client + realmIdSelector: + matchLabels: + testing.upbound.io/example-name: token_exchange_realm + standardFlowEnabled: true + validRedirectUris: + - http://localhost:8080/* + +--- + +apiVersion: realm.keycloak.crossplane.io/v1alpha1 +kind: Realm +metadata: + annotations: + meta.upbound.io/example-id: identityprovider/v1alpha1/providertokenexchangescopepermission + labels: + testing.upbound.io/example-name: token_exchange_realm + name: token-exchange-realm +spec: + forProvider: + enabled: true + realm: token-exchange_destination_realm diff --git a/examples-generated/namespaced/identityprovider/v1alpha1/providertokenexchangescopepermission.yaml b/examples-generated/namespaced/identityprovider/v1alpha1/providertokenexchangescopepermission.yaml new file mode 100644 index 00000000..677fdcd2 --- /dev/null +++ b/examples-generated/namespaced/identityprovider/v1alpha1/providertokenexchangescopepermission.yaml @@ -0,0 +1,90 @@ +apiVersion: identityprovider.keycloak.m.crossplane.io/v1alpha1 +kind: ProviderTokenExchangeScopePermission +metadata: + annotations: + meta.upbound.io/example-id: identityprovider/v1alpha1/providertokenexchangescopepermission + labels: + testing.upbound.io/example-name: oidc_idp_permission + name: oidc-idp-permission + namespace: upbound-system +spec: + forProvider: + clientsRefs: + - name: token-exchange_webapp_client + policyType: client + providerAliasSelector: + matchLabels: + testing.upbound.io/example-name: token_exchange_my_oidc_idp + realmIdSelector: + matchLabels: + testing.upbound.io/example-name: token_exchange_realm + +--- + +apiVersion: oidc.keycloak.m.crossplane.io/v1alpha1 +kind: IdentityProvider +metadata: + annotations: + meta.upbound.io/example-id: identityprovider/v1alpha1/providertokenexchangescopepermission + labels: + testing.upbound.io/example-name: token_exchange_my_oidc_idp + name: token-exchange-my-oidc-idp + namespace: upbound-system +spec: + forProvider: + alias: myIdp + authorizationUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/auth + clientIdSecretRef: + key: example-key + name: example-secret + clientSecretSecretRef: + key: example-key + name: example-secret + defaultScopes: openid + realmSelector: + matchLabels: + testing.upbound.io/example-name: token_exchange_realm + tokenUrl: http://localhost:8080/auth/realms/someRealm/protocol/openid-connect/token + +--- + +apiVersion: openidclient.keycloak.m.crossplane.io/v1alpha1 +kind: Client +metadata: + annotations: + meta.upbound.io/example-id: identityprovider/v1alpha1/providertokenexchangescopepermission + labels: + testing.upbound.io/example-name: token-exchange_webapp_client + name: token-exchange-webapp-client + namespace: upbound-system +spec: + forProvider: + accessType: CONFIDENTIAL + clientId: webapp_client + clientSecretSecretRef: + key: example-key + name: example-secret + description: a webapp client on the destination realm + name: webapp_client + realmIdSelector: + matchLabels: + testing.upbound.io/example-name: token_exchange_realm + standardFlowEnabled: true + validRedirectUris: + - http://localhost:8080/* + +--- + +apiVersion: realm.keycloak.m.crossplane.io/v1alpha1 +kind: Realm +metadata: + annotations: + meta.upbound.io/example-id: identityprovider/v1alpha1/providertokenexchangescopepermission + labels: + testing.upbound.io/example-name: token_exchange_realm + name: token-exchange-realm + namespace: upbound-system +spec: + forProvider: + enabled: true + realm: token-exchange_destination_realm diff --git a/internal/controller/cluster/identityprovider/providertokenexchangescopepermission/zz_controller.go b/internal/controller/cluster/identityprovider/providertokenexchangescopepermission/zz_controller.go new file mode 100755 index 00000000..9572b339 --- /dev/null +++ b/internal/controller/cluster/identityprovider/providertokenexchangescopepermission/zz_controller.go @@ -0,0 +1,100 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package providertokenexchangescopepermission + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/v2/pkg/event" + xpfeature "github.com/crossplane/crossplane-runtime/v2/pkg/feature" + "github.com/crossplane/crossplane-runtime/v2/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/v2/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/v2/pkg/resource" + "github.com/crossplane/crossplane-runtime/v2/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/v2/pkg/controller" + "github.com/crossplane/upjet/v2/pkg/controller/handler" + "github.com/crossplane/upjet/v2/pkg/metrics" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + + v1alpha1 "github.com/crossplane-contrib/provider-keycloak/apis/cluster/identityprovider/v1alpha1" + features "github.com/crossplane-contrib/provider-keycloak/internal/features" +) + +// SetupGated adds a controller that reconciles ProviderTokenExchangeScopePermission managed resources. +func SetupGated(mgr ctrl.Manager, o tjcontroller.Options) error { + o.Options.Gate.Register(func() { + if err := Setup(mgr, o); err != nil { + mgr.GetLogger().Error(err, "unable to setup reconciler", "gvk", v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind.String()) + } + }, v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind) + return nil +} + +// Setup adds a controller that reconciles ProviderTokenExchangeScopePermission managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind.String()) + var initializers managed.InitializerChain + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["keycloak_identity_provider_token_exchange_scope_permission"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithPollInterval(o.PollInterval), + } + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.ProviderTokenExchangeScopePermission + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.ProviderTokenExchangeScopePermission{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.ProviderTokenExchangeScopePermission") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.ProviderTokenExchangeScopePermissionList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.ProviderTokenExchangeScopePermissionList") + } + } + + if o.Features.Enabled(xpfeature.EnableAlphaChangeLogs) { + opts = append(opts, managed.WithChangeLogger(o.ChangeLogOptions.ChangeLogger)) + } + + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(xpresource.DesiredStateChanged()). + Watches(&v1alpha1.ProviderTokenExchangeScopePermission{}, eventHandler). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/cluster/zz_setup.go b/internal/controller/cluster/zz_setup.go index 660b7a6d..1d5463c7 100755 --- a/internal/controller/cluster/zz_setup.go +++ b/internal/controller/cluster/zz_setup.go @@ -23,6 +23,7 @@ import ( permissions "github.com/crossplane-contrib/provider-keycloak/internal/controller/cluster/group/permissions" rolesgroup "github.com/crossplane-contrib/provider-keycloak/internal/controller/cluster/group/roles" identityprovidermapper "github.com/crossplane-contrib/provider-keycloak/internal/controller/cluster/identityprovider/identityprovidermapper" + providertokenexchangescopepermission "github.com/crossplane-contrib/provider-keycloak/internal/controller/cluster/identityprovider/providertokenexchangescopepermission" custommapper "github.com/crossplane-contrib/provider-keycloak/internal/controller/cluster/ldap/custommapper" fullnamemapper "github.com/crossplane-contrib/provider-keycloak/internal/controller/cluster/ldap/fullnamemapper" groupmapper "github.com/crossplane-contrib/provider-keycloak/internal/controller/cluster/ldap/groupmapper" @@ -89,6 +90,7 @@ func Setup(mgr ctrl.Manager, o controller.Options) error { permissions.Setup, rolesgroup.Setup, identityprovidermapper.Setup, + providertokenexchangescopepermission.Setup, custommapper.Setup, fullnamemapper.Setup, groupmapper.Setup, @@ -161,6 +163,7 @@ func SetupGated(mgr ctrl.Manager, o controller.Options) error { permissions.SetupGated, rolesgroup.SetupGated, identityprovidermapper.SetupGated, + providertokenexchangescopepermission.SetupGated, custommapper.SetupGated, fullnamemapper.SetupGated, groupmapper.SetupGated, diff --git a/internal/controller/namespaced/identityprovider/providertokenexchangescopepermission/zz_controller.go b/internal/controller/namespaced/identityprovider/providertokenexchangescopepermission/zz_controller.go new file mode 100755 index 00000000..70ca9ea8 --- /dev/null +++ b/internal/controller/namespaced/identityprovider/providertokenexchangescopepermission/zz_controller.go @@ -0,0 +1,100 @@ +/* +Copyright 2022 Upbound Inc. +*/ + +// Code generated by upjet. DO NOT EDIT. + +package providertokenexchangescopepermission + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/v2/pkg/event" + xpfeature "github.com/crossplane/crossplane-runtime/v2/pkg/feature" + "github.com/crossplane/crossplane-runtime/v2/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/v2/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/v2/pkg/resource" + "github.com/crossplane/crossplane-runtime/v2/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/v2/pkg/controller" + "github.com/crossplane/upjet/v2/pkg/controller/handler" + "github.com/crossplane/upjet/v2/pkg/metrics" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + + v1alpha1 "github.com/crossplane-contrib/provider-keycloak/apis/namespaced/identityprovider/v1alpha1" + features "github.com/crossplane-contrib/provider-keycloak/internal/features" +) + +// SetupGated adds a controller that reconciles ProviderTokenExchangeScopePermission managed resources. +func SetupGated(mgr ctrl.Manager, o tjcontroller.Options) error { + o.Options.Gate.Register(func() { + if err := Setup(mgr, o); err != nil { + mgr.GetLogger().Error(err, "unable to setup reconciler", "gvk", v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind.String()) + } + }, v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind) + return nil +} + +// Setup adds a controller that reconciles ProviderTokenExchangeScopePermission managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind.String()) + var initializers managed.InitializerChain + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["keycloak_identity_provider_token_exchange_scope_permission"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithPollInterval(o.PollInterval), + } + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1alpha1.ProviderTokenExchangeScopePermission + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1alpha1.ProviderTokenExchangeScopePermission{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1alpha1.ProviderTokenExchangeScopePermission") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1alpha1.ProviderTokenExchangeScopePermissionList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1alpha1.ProviderTokenExchangeScopePermissionList") + } + } + + if o.Features.Enabled(xpfeature.EnableAlphaChangeLogs) { + opts = append(opts, managed.WithChangeLogger(o.ChangeLogOptions.ChangeLogger)) + } + + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1alpha1.ProviderTokenExchangeScopePermission_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(xpresource.DesiredStateChanged()). + Watches(&v1alpha1.ProviderTokenExchangeScopePermission{}, eventHandler). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/namespaced/zz_setup.go b/internal/controller/namespaced/zz_setup.go index 4c53776e..9b49fbea 100755 --- a/internal/controller/namespaced/zz_setup.go +++ b/internal/controller/namespaced/zz_setup.go @@ -23,6 +23,7 @@ import ( permissions "github.com/crossplane-contrib/provider-keycloak/internal/controller/namespaced/group/permissions" rolesgroup "github.com/crossplane-contrib/provider-keycloak/internal/controller/namespaced/group/roles" identityprovidermapper "github.com/crossplane-contrib/provider-keycloak/internal/controller/namespaced/identityprovider/identityprovidermapper" + providertokenexchangescopepermission "github.com/crossplane-contrib/provider-keycloak/internal/controller/namespaced/identityprovider/providertokenexchangescopepermission" custommapper "github.com/crossplane-contrib/provider-keycloak/internal/controller/namespaced/ldap/custommapper" fullnamemapper "github.com/crossplane-contrib/provider-keycloak/internal/controller/namespaced/ldap/fullnamemapper" groupmapper "github.com/crossplane-contrib/provider-keycloak/internal/controller/namespaced/ldap/groupmapper" @@ -89,6 +90,7 @@ func Setup(mgr ctrl.Manager, o controller.Options) error { permissions.Setup, rolesgroup.Setup, identityprovidermapper.Setup, + providertokenexchangescopepermission.Setup, custommapper.Setup, fullnamemapper.Setup, groupmapper.Setup, @@ -161,6 +163,7 @@ func SetupGated(mgr ctrl.Manager, o controller.Options) error { permissions.SetupGated, rolesgroup.SetupGated, identityprovidermapper.SetupGated, + providertokenexchangescopepermission.SetupGated, custommapper.SetupGated, fullnamemapper.SetupGated, groupmapper.SetupGated, diff --git a/package/crds/identityprovider.keycloak.crossplane.io_providertokenexchangescopepermissions.yaml b/package/crds/identityprovider.keycloak.crossplane.io_providertokenexchangescopepermissions.yaml new file mode 100644 index 00000000..e8f18868 --- /dev/null +++ b/package/crds/identityprovider.keycloak.crossplane.io_providertokenexchangescopepermissions.yaml @@ -0,0 +1,782 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: providertokenexchangescopepermissions.identityprovider.keycloak.crossplane.io +spec: + group: identityprovider.keycloak.crossplane.io + names: + categories: + - crossplane + - managed + - keycloak + kind: ProviderTokenExchangeScopePermission + listKind: ProviderTokenExchangeScopePermissionList + plural: providertokenexchangescopepermissions + singular: providertokenexchangescopepermission + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProviderTokenExchangeScopePermission is the Schema for the ProviderTokenExchangeScopePermissions + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProviderTokenExchangeScopePermissionSpec defines the desired + state of ProviderTokenExchangeScopePermission + properties: + deletionPolicy: + default: Delete + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + clients: + description: |- + A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + Ids of the clients for which a policy will be created and set on scope based token exchange permission + items: + type: string + type: array + x-kubernetes-list-type: set + clientsRefs: + description: References to Client in openidclient to populate + clients. + items: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + type: array + clientsSelector: + description: Selector for a list of Client in openidclient to + populate clients. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + policyType: + description: |- + Defaults to "client" This is also the only value policy type supported by this provider. + Type of policy that is created. At the moment only 'client' type is supported + type: string + providerAlias: + description: Alias of the identity provider. + type: string + providerAliasRef: + description: Reference to a IdentityProvider in oidc to populate + providerAlias. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerAliasSelector: + description: Selector for a IdentityProvider in oidc to populate + providerAlias. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + realmId: + description: The realm that the identity provider exists in. + type: string + realmIdRef: + description: Reference to a Realm in realm to populate realmId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + realmIdSelector: + description: Selector for a Realm in realm to populate realmId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + type: object + initProvider: + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. + properties: + clients: + description: |- + A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + Ids of the clients for which a policy will be created and set on scope based token exchange permission + items: + type: string + type: array + x-kubernetes-list-type: set + clientsRefs: + description: References to Client in openidclient to populate + clients. + items: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + type: array + clientsSelector: + description: Selector for a list of Client in openidclient to + populate clients. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + policyType: + description: |- + Defaults to "client" This is also the only value policy type supported by this provider. + Type of policy that is created. At the moment only 'client' type is supported + type: string + providerAlias: + description: Alias of the identity provider. + type: string + providerAliasRef: + description: Reference to a IdentityProvider in oidc to populate + providerAlias. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerAliasSelector: + description: Selector for a IdentityProvider in oidc to populate + providerAlias. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + realmId: + description: The realm that the identity provider exists in. + type: string + realmIdRef: + description: Reference to a Realm in realm to populate realmId. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + realmIdSelector: + description: Selector for a Realm in realm to populate realmId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: ProviderTokenExchangeScopePermissionStatus defines the observed + state of ProviderTokenExchangeScopePermission. + properties: + atProvider: + properties: + authorizationIdpResourceId: + description: |- + (Computed) Resource ID representing the identity provider, this automatically created by keycloak. + Resource id representing the identity provider, this automatically created by keycloak + type: string + authorizationResourceServerId: + description: |- + (Computed) Resource server ID representing the realm management client on which this permission is managed. + Resource server id representing the realm management client on which this permission is managed + type: string + authorizationTokenExchangeScopePermissionId: + description: |- + (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission. + Permission id representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy id will be set on this permission + type: string + clients: + description: |- + A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + Ids of the clients for which a policy will be created and set on scope based token exchange permission + items: + type: string + type: array + x-kubernetes-list-type: set + id: + type: string + policyId: + description: |- + (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider. + Policy id that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider + type: string + policyType: + description: |- + Defaults to "client" This is also the only value policy type supported by this provider. + Type of policy that is created. At the moment only 'client' type is supported + type: string + providerAlias: + description: Alias of the identity provider. + type: string + realmId: + description: The realm that the identity provider exists in. + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/package/crds/identityprovider.keycloak.m.crossplane.io_providertokenexchangescopepermissions.yaml b/package/crds/identityprovider.keycloak.m.crossplane.io_providertokenexchangescopepermissions.yaml new file mode 100644 index 00000000..eab90c60 --- /dev/null +++ b/package/crds/identityprovider.keycloak.m.crossplane.io_providertokenexchangescopepermissions.yaml @@ -0,0 +1,776 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: providertokenexchangescopepermissions.identityprovider.keycloak.m.crossplane.io +spec: + group: identityprovider.keycloak.m.crossplane.io + names: + categories: + - crossplane + - managed + - keycloak + kind: ProviderTokenExchangeScopePermission + listKind: ProviderTokenExchangeScopePermissionList + plural: providertokenexchangescopepermissions + singular: providertokenexchangescopepermission + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProviderTokenExchangeScopePermission is the Schema for the ProviderTokenExchangeScopePermissions + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProviderTokenExchangeScopePermissionSpec defines the desired + state of ProviderTokenExchangeScopePermission + properties: + forProvider: + properties: + clients: + description: |- + A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + Ids of the clients for which a policy will be created and set on scope based token exchange permission + items: + type: string + type: array + x-kubernetes-list-type: set + clientsRefs: + description: References to Client in openidclient to populate + clients. + items: + description: A NamespacedReference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + namespace: + description: Namespace of the referenced object + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + type: array + clientsSelector: + description: Selector for a list of Client in openidclient to + populate clients. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + namespace: + description: Namespace for the selector + type: string + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + policyType: + description: |- + Defaults to "client" This is also the only value policy type supported by this provider. + Type of policy that is created. At the moment only 'client' type is supported + type: string + providerAlias: + description: Alias of the identity provider. + type: string + providerAliasRef: + description: Reference to a IdentityProvider in oidc to populate + providerAlias. + properties: + name: + description: Name of the referenced object. + type: string + namespace: + description: Namespace of the referenced object + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerAliasSelector: + description: Selector for a IdentityProvider in oidc to populate + providerAlias. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + namespace: + description: Namespace for the selector + type: string + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + realmId: + description: The realm that the identity provider exists in. + type: string + realmIdRef: + description: Reference to a Realm in realm to populate realmId. + properties: + name: + description: Name of the referenced object. + type: string + namespace: + description: Namespace of the referenced object + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + realmIdSelector: + description: Selector for a Realm in realm to populate realmId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + namespace: + description: Namespace for the selector + type: string + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + type: object + initProvider: + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. + properties: + clients: + description: |- + A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + Ids of the clients for which a policy will be created and set on scope based token exchange permission + items: + type: string + type: array + x-kubernetes-list-type: set + clientsRefs: + description: References to Client in openidclient to populate + clients. + items: + description: A NamespacedReference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + namespace: + description: Namespace of the referenced object + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + type: array + clientsSelector: + description: Selector for a list of Client in openidclient to + populate clients. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + namespace: + description: Namespace for the selector + type: string + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + policyType: + description: |- + Defaults to "client" This is also the only value policy type supported by this provider. + Type of policy that is created. At the moment only 'client' type is supported + type: string + providerAlias: + description: Alias of the identity provider. + type: string + providerAliasRef: + description: Reference to a IdentityProvider in oidc to populate + providerAlias. + properties: + name: + description: Name of the referenced object. + type: string + namespace: + description: Namespace of the referenced object + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerAliasSelector: + description: Selector for a IdentityProvider in oidc to populate + providerAlias. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + namespace: + description: Namespace for the selector + type: string + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + realmId: + description: The realm that the identity provider exists in. + type: string + realmIdRef: + description: Reference to a Realm in realm to populate realmId. + properties: + name: + description: Name of the referenced object. + type: string + namespace: + description: Namespace of the referenced object + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + realmIdSelector: + description: Selector for a Realm in realm to populate realmId. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + namespace: + description: Namespace for the selector + type: string + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + kind: ClusterProviderConfig + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + kind: + description: Kind of the referenced object. + type: string + name: + description: Name of the referenced object. + type: string + required: + - kind + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + name: + description: Name of the secret. + type: string + required: + - name + type: object + required: + - forProvider + type: object + status: + description: ProviderTokenExchangeScopePermissionStatus defines the observed + state of ProviderTokenExchangeScopePermission. + properties: + atProvider: + properties: + authorizationIdpResourceId: + description: |- + (Computed) Resource ID representing the identity provider, this automatically created by keycloak. + Resource id representing the identity provider, this automatically created by keycloak + type: string + authorizationResourceServerId: + description: |- + (Computed) Resource server ID representing the realm management client on which this permission is managed. + Resource server id representing the realm management client on which this permission is managed + type: string + authorizationTokenExchangeScopePermissionId: + description: |- + (Computed) Permission ID representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy ID will be set on this permission. + Permission id representing the Permission with scope 'Token Exchange' and the resource 'authorization_idp_resource_id', this automatically created by keycloak, the policy id will be set on this permission + type: string + clients: + description: |- + A list of IDs of the clients for which a policy will be created and set on scope based token exchange permission. + Ids of the clients for which a policy will be created and set on scope based token exchange permission + items: + type: string + type: array + x-kubernetes-list-type: set + id: + type: string + policyId: + description: |- + (Computed) Policy ID that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider. + Policy id that will be set on the scope based token exchange permission automatically created by enabling permissions on the reference identity provider + type: string + policyType: + description: |- + Defaults to "client" This is also the only value policy type supported by this provider. + Type of policy that is created. At the moment only 'client' type is supported + type: string + providerAlias: + description: Alias of the identity provider. + type: string + realmId: + description: The realm that the identity provider exists in. + type: string + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {}