crossplane
Generate Secret References for Sensitive Parameters under the spec.initProvider API tree
Description of your changes
While working on adding the User.mq resource in crossplane-contrib/provider-upjet-aws, we hit the limitation that currently we do not generate secret references for the sensitive parameters under the spec.initProvider API. Currently, one can specify an ActiveMQ broker user with crossplane-contrib/provider-upjet-aws as follows:
apiVersion: mq.aws.upbound.io/v1beta1
kind: Broker
metadata:
name: test-broker
spec:
forProvider:
...
user:
- passwordSecretRef:
key: password
name: mq-secret
namespace: upbound-system
username: admin
However, we cannot fully specify the broker user using the spec.initProvider API tree because there's no spec.initProvider.user[*].passwordSecretRef and a partial specification like the following:
apiVersion: mq.aws.upbound.io/v1beta1
kind: Broker
metadata:
name: test-broker
spec:
forProvider:
# broker users are defined under spec.initProvider
...
initProvider:
user:
username: admin
will not function as the required user password is missing in the user specification, which renders the spec.initProvider.user API useless.
This PR adds support for the generation of secret references for sensitive parameters under the spec.initProvider API tree. As a result, it now becomes possible to fully specify a broker user as follows:
apiVersion: mq.aws.upbound.io/v1beta1
kind: Broker
metadata:
name: test-broker
spec:
initProvider:
...
user:
- passwordSecretRef:
key: password
name: mq-secret
namespace: upbound-system
username: admin
forProvider:
...
The PR proposes both the code generation changes & the runtime secret resolution changes:
Code generation changes:
- Upjet now generates the secret references under the
spec.initProviderAPI tree. As an example,Broker.mqnow hasspec.initProvider.user[*].passwordSecretRefas a sensitive parameter. - This will result in the marking of certain previously required sensitive fields as optional under the
spec.forProviderAPI tree because they have now counterparts under thespec.initProvidersubtree, i.e., they can now be specified from underspec.initProvider. - Upjet now generates, in
zz_*_terraformed.gofiles, connection details mappings without thespec.forProviderprefixes in CRD paths. For example, what upjet used to generate as follows:
// GetConnectionDetailsMapping for this SharedDirectory
func (tr *SharedDirectory) GetConnectionDetailsMapping() map[string]string {
return map[string]string{"notes": "spec.forProvider.notesSecretRef"}
}
now becomes:
// GetConnectionDetailsMapping for this SharedDirectory
func (tr *SharedDirectory) GetConnectionDetailsMapping() map[string]string {
return map[string]string{"notes": "notesSecretRef"}
}
This is because, the mapping is now not 1:1. The sensitive value for the notes Terraform configuration argument can now be resolved from either a spec.forProvider reference or a soec.initProvider reference.
Runtime changes:
Upjet runtime now has to be able to resolve secret references from under the spec.initProvider tree and the mapping between the Terraform configuration arguments & secret references is no longer one-to-one. If both a spec.initProvider and a spec.forProvider secret reference target the same Terraform configuration argument, then the spec.forProvider's reference prevails over.
I have:
- [x] Read and followed Upjet's contribution process.
- [x] Run
make reviewableto ensure this PR is ready for review. - [ ] Added
backport release-x.ylabels to auto-backport this PR if necessary.
How has this code been tested
Manually tested via the User.users crossplane-contrib/provider-upjet-azuread resource.
