From d7b7273cd47938c6f1f4f06181e880a7ee290651 Mon Sep 17 00:00:00 2001 From: AWS Controllers for Kubernetes Bot <82905295+ack-bot@users.noreply.github.com> Date: Fri, 11 Oct 2024 17:57:01 -0700 Subject: [PATCH] operator ack-iam-controller (1.3.13) --- .../1.3.13/bundle.Dockerfile | 21 ++ ...-iam-controller.clusterserviceversion.yaml | 331 ++++++++++++++++++ .../ack-iam-metrics-service_v1_service.yaml | 16 + ...der_rbac.authorization.k8s.io_v1_role.yaml | 19 + ...ter_rbac.authorization.k8s.io_v1_role.yaml | 36 ++ ...le_iam.services.k8s.aws_v1alpha1_role.yaml | 5 + .../iam.services.k8s.aws_groups.yaml | 197 +++++++++++ ...iam.services.k8s.aws_instanceprofiles.yaml | 211 +++++++++++ ...rvices.k8s.aws_openidconnectproviders.yaml | 201 +++++++++++ .../iam.services.k8s.aws_policies.yaml | 272 ++++++++++++++ .../manifests/iam.services.k8s.aws_roles.yaml | 310 ++++++++++++++++ .../manifests/iam.services.k8s.aws_users.yaml | 274 +++++++++++++++ .../1.3.13/metadata/annotations.yaml | 15 + .../1.3.13/tests/scorecard/config.yaml | 50 +++ 14 files changed, 1958 insertions(+) create mode 100644 operators/ack-iam-controller/1.3.13/bundle.Dockerfile create mode 100644 operators/ack-iam-controller/1.3.13/manifests/ack-iam-controller.clusterserviceversion.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/ack-iam-metrics-service_v1_service.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/ack-iam-reader_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/ack-iam-writer_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/example_iam.services.k8s.aws_v1alpha1_role.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_groups.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_instanceprofiles.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_openidconnectproviders.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_policies.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_roles.yaml create mode 100644 operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_users.yaml create mode 100644 operators/ack-iam-controller/1.3.13/metadata/annotations.yaml create mode 100644 operators/ack-iam-controller/1.3.13/tests/scorecard/config.yaml diff --git a/operators/ack-iam-controller/1.3.13/bundle.Dockerfile b/operators/ack-iam-controller/1.3.13/bundle.Dockerfile new file mode 100644 index 00000000000..f6a88ede02a --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/bundle.Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=ack-iam-controller +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=unknown + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/operators/ack-iam-controller/1.3.13/manifests/ack-iam-controller.clusterserviceversion.yaml b/operators/ack-iam-controller/1.3.13/manifests/ack-iam-controller.clusterserviceversion.yaml new file mode 100644 index 00000000000..0e185a9dade --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/ack-iam-controller.clusterserviceversion.yaml @@ -0,0 +1,331 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "iam.services.k8s.aws/v1alpha1", + "kind": "Role", + "metadata": { + "name": "example" + }, + "spec": {} + }, + { + "apiVersion": "iam.services.k8s.aws/v1alpha1", + "kind": "Group", + "metadata": { + "name": "example" + }, + "spec": {} + }, + { + "apiVersion": "iam.services.k8s.aws/v1alpha1", + "kind": "OpenIDConnectProvider", + "metadata": { + "name": "example" + }, + "spec": {} + }, + { + "apiVersion": "iam.services.k8s.aws/v1alpha1", + "kind": "Policy", + "metadata": { + "name": "example" + }, + "spec": {} + }, + { + "apiVersion": "iam.services.k8s.aws/v1alpha1", + "kind": "User", + "metadata": { + "name": "example" + }, + "spec": {} + } + ] + capabilities: Basic Install + categories: Cloud Provider + certified: "false" + containerImage: public.ecr.aws/aws-controllers-k8s/iam-controller:1.3.13 + createdAt: "2024-10-12T00:20:42Z" + description: AWS IAM controller is a service controller for managing IAM resources + in Kubernetes + operatorframework.io/suggested-namespace: ack-system + operators.operatorframework.io/builder: operator-sdk-v1.28.0 + operators.operatorframework.io/project_layout: unknown + repository: https://github.com/aws-controllers-k8s + support: Community + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/os.linux: supported + name: ack-iam-controller.v1.3.13 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: Group represents the state of an AWS iam Group resource. + displayName: Group + kind: Group + name: groups.iam.services.k8s.aws + version: v1alpha1 + - description: InstanceProfile represents the state of an AWS iam InstanceProfile + resource. + displayName: InstanceProfile + kind: InstanceProfile + name: instanceprofiles.iam.services.k8s.aws + version: v1alpha1 + - description: OpenIDConnectProvider represents the state of an AWS iam OpenIDConnectProvider + resource. + displayName: OpenIDConnectProvider + kind: OpenIDConnectProvider + name: openidconnectproviders.iam.services.k8s.aws + version: v1alpha1 + - description: Policy represents the state of an AWS iam Policy resource. + displayName: Policy + kind: Policy + name: policies.iam.services.k8s.aws + version: v1alpha1 + - description: Role represents the state of an AWS iam Role resource. + displayName: Role + kind: Role + name: roles.iam.services.k8s.aws + version: v1alpha1 + - description: User represents the state of an AWS iam User resource. + displayName: User + kind: User + name: users.iam.services.k8s.aws + version: v1alpha1 + description: |- + Manage Identity and Access Management (IAM) resources in AWS from within your Kubernetes cluster. + + **About Amazon IAM** + + AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. + + **About the AWS Controllers for Kubernetes** + + This controller is a component of the [AWS Controller for Kubernetes](https://github.com/aws/aws-controllers-k8s) project. + + **Pre-Installation Steps** + + Please follow the following link: [Red Hat OpenShift](https://aws-controllers-k8s.github.io/community/docs/user-docs/openshift/) + displayName: AWS Controllers for Kubernetes - Amazon IAM + icon: + - base64data: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjAuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB2aWV3Qm94PSIwIDAgMzA0IDE4MiIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMzA0IDE4MjsiIHhtbDpzcGFjZT0icHJlc2VydmUiPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiMyNTJGM0U7fQoJLnN0MXtmaWxsLXJ1bGU6ZXZlbm9kZDtjbGlwLXJ1bGU6ZXZlbm9kZDtmaWxsOiNGRjk5MDA7fQo8L3N0eWxlPgo8Zz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik04Ni40LDY2LjRjMCwzLjcsMC40LDYuNywxLjEsOC45YzAuOCwyLjIsMS44LDQuNiwzLjIsNy4yYzAuNSwwLjgsMC43LDEuNiwwLjcsMi4zYzAsMS0wLjYsMi0xLjksM2wtNi4zLDQuMiAgIGMtMC45LDAuNi0xLjgsMC45LTIuNiwwLjljLTEsMC0yLTAuNS0zLTEuNEM3Ni4yLDkwLDc1LDg4LjQsNzQsODYuOGMtMS0xLjctMi0zLjYtMy4xLTUuOWMtNy44LDkuMi0xNy42LDEzLjgtMjkuNCwxMy44ICAgYy04LjQsMC0xNS4xLTIuNC0yMC03LjJjLTQuOS00LjgtNy40LTExLjItNy40LTE5LjJjMC04LjUsMy0xNS40LDkuMS0yMC42YzYuMS01LjIsMTQuMi03LjgsMjQuNS03LjhjMy40LDAsNi45LDAuMywxMC42LDAuOCAgIGMzLjcsMC41LDcuNSwxLjMsMTEuNSwyLjJ2LTcuM2MwLTcuNi0xLjYtMTIuOS00LjctMTZjLTMuMi0zLjEtOC42LTQuNi0xNi4zLTQuNmMtMy41LDAtNy4xLDAuNC0xMC44LDEuM2MtMy43LDAuOS03LjMsMi0xMC44LDMuNCAgIGMtMS42LDAuNy0yLjgsMS4xLTMuNSwxLjNjLTAuNywwLjItMS4yLDAuMy0xLjYsMC4zYy0xLjQsMC0yLjEtMS0yLjEtMy4xdi00LjljMC0xLjYsMC4yLTIuOCwwLjctMy41YzAuNS0wLjcsMS40LTEuNCwyLjgtMi4xICAgYzMuNS0xLjgsNy43LTMuMywxMi42LTQuNWM0LjktMS4zLDEwLjEtMS45LDE1LjYtMS45YzExLjksMCwyMC42LDIuNywyNi4yLDguMWM1LjUsNS40LDguMywxMy42LDguMywyNC42VjY2LjR6IE00NS44LDgxLjYgICBjMy4zLDAsNi43LTAuNiwxMC4zLTEuOGMzLjYtMS4yLDYuOC0zLjQsOS41LTYuNGMxLjYtMS45LDIuOC00LDMuNC02LjRjMC42LTIuNCwxLTUuMywxLTguN3YtNC4yYy0yLjktMC43LTYtMS4zLTkuMi0xLjcgICBjLTMuMi0wLjQtNi4zLTAuNi05LjQtMC42Yy02LjcsMC0xMS42LDEuMy0xNC45LDRjLTMuMywyLjctNC45LDYuNS00LjksMTEuNWMwLDQuNywxLjIsOC4yLDMuNywxMC42ICAgQzM3LjcsODAuNCw0MS4yLDgxLjYsNDUuOCw4MS42eiBNMTI2LjEsOTIuNGMtMS44LDAtMy0wLjMtMy44LTFjLTAuOC0wLjYtMS41LTItMi4xLTMuOUw5Ni43LDEwLjJjLTAuNi0yLTAuOS0zLjMtMC45LTQgICBjMC0xLjYsMC44LTIuNSwyLjQtMi41aDkuOGMxLjksMCwzLjIsMC4zLDMuOSwxYzAuOCwwLjYsMS40LDIsMiwzLjlsMTYuOCw2Ni4ybDE1LjYtNjYuMmMwLjUtMiwxLjEtMy4zLDEuOS0zLjljMC44LTAuNiwyLjItMSw0LTEgICBoOGMxLjksMCwzLjIsMC4zLDQsMWMwLjgsMC42LDEuNSwyLDEuOSwzLjlsMTUuOCw2N2wxNy4zLTY3YzAuNi0yLDEuMy0zLjMsMi0zLjljMC44LTAuNiwyLjEtMSwzLjktMWg5LjNjMS42LDAsMi41LDAuOCwyLjUsMi41ICAgYzAsMC41LTAuMSwxLTAuMiwxLjZjLTAuMSwwLjYtMC4zLDEuNC0wLjcsMi41bC0yNC4xLDc3LjNjLTAuNiwyLTEuMywzLjMtMi4xLDMuOWMtMC44LDAuNi0yLjEsMS0zLjgsMWgtOC42Yy0xLjksMC0zLjItMC4zLTQtMSAgIGMtMC44LTAuNy0xLjUtMi0xLjktNEwxNTYsMjNsLTE1LjQsNjQuNGMtMC41LDItMS4xLDMuMy0xLjksNGMtMC44LDAuNy0yLjIsMS00LDFIMTI2LjF6IE0yNTQuNiw5NS4xYy01LjIsMC0xMC40LTAuNi0xNS40LTEuOCAgIGMtNS0xLjItOC45LTIuNS0xMS41LTRjLTEuNi0wLjktMi43LTEuOS0zLjEtMi44Yy0wLjQtMC45LTAuNi0xLjktMC42LTIuOHYtNS4xYzAtMi4xLDAuOC0zLjEsMi4zLTMuMWMwLjYsMCwxLjIsMC4xLDEuOCwwLjMgICBjMC42LDAuMiwxLjUsMC42LDIuNSwxYzMuNCwxLjUsNy4xLDIuNywxMSwzLjVjNCwwLjgsNy45LDEuMiwxMS45LDEuMmM2LjMsMCwxMS4yLTEuMSwxNC42LTMuM2MzLjQtMi4yLDUuMi01LjQsNS4yLTkuNSAgIGMwLTIuOC0wLjktNS4xLTIuNy03Yy0xLjgtMS45LTUuMi0zLjYtMTAuMS01LjJMMjQ2LDUyYy03LjMtMi4zLTEyLjctNS43LTE2LTEwLjJjLTMuMy00LjQtNS05LjMtNS0xNC41YzAtNC4yLDAuOS03LjksMi43LTExLjEgICBjMS44LTMuMiw0LjItNiw3LjItOC4yYzMtMi4zLDYuNC00LDEwLjQtNS4yYzQtMS4yLDguMi0xLjcsMTIuNi0xLjdjMi4yLDAsNC41LDAuMSw2LjcsMC40YzIuMywwLjMsNC40LDAuNyw2LjUsMS4xICAgYzIsMC41LDMuOSwxLDUuNywxLjZjMS44LDAuNiwzLjIsMS4yLDQuMiwxLjhjMS40LDAuOCwyLjQsMS42LDMsMi41YzAuNiwwLjgsMC45LDEuOSwwLjksMy4zdjQuN2MwLDIuMS0wLjgsMy4yLTIuMywzLjIgICBjLTAuOCwwLTIuMS0wLjQtMy44LTEuMmMtNS43LTIuNi0xMi4xLTMuOS0xOS4yLTMuOWMtNS43LDAtMTAuMiwwLjktMTMuMywyLjhjLTMuMSwxLjktNC43LDQuOC00LjcsOC45YzAsMi44LDEsNS4yLDMsNy4xICAgYzIsMS45LDUuNywzLjgsMTEsNS41bDE0LjIsNC41YzcuMiwyLjMsMTIuNCw1LjUsMTUuNSw5LjZjMy4xLDQuMSw0LjYsOC44LDQuNiwxNGMwLDQuMy0wLjksOC4yLTIuNiwxMS42ICAgYy0xLjgsMy40LTQuMiw2LjQtNy4zLDguOGMtMy4xLDIuNS02LjgsNC4zLTExLjEsNS42QzI2NC40LDk0LjQsMjU5LjcsOTUuMSwyNTQuNiw5NS4xeiIvPgoJPGc+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI3My41LDE0My43Yy0zMi45LDI0LjMtODAuNywzNy4yLTEyMS44LDM3LjJjLTU3LjYsMC0xMDkuNS0yMS4zLTE0OC43LTU2LjdjLTMuMS0yLjgtMC4zLTYuNiwzLjQtNC40ICAgIGM0Mi40LDI0LjYsOTQuNywzOS41LDE0OC44LDM5LjVjMzYuNSwwLDc2LjYtNy42LDExMy41LTIzLjJDMjc0LjIsMTMzLjYsMjc4LjksMTM5LjcsMjczLjUsMTQzLjd6Ii8+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI4Ny4yLDEyOC4xYy00LjItNS40LTI3LjgtMi42LTM4LjUtMS4zYy0zLjIsMC40LTMuNy0yLjQtMC44LTQuNWMxOC44LTEzLjIsNDkuNy05LjQsNTMuMy01ICAgIGMzLjYsNC41LTEsMzUuNC0xOC42LDUwLjJjLTIuNywyLjMtNS4zLDEuMS00LjEtMS45QzI4Mi41LDE1NS43LDI5MS40LDEzMy40LDI4Ny4yLDEyOC4xeiIvPgoJPC9nPgo8L2c+Cjwvc3ZnPg== + mediatype: image/svg+xml + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - iam.services.k8s.aws + resources: + - groups + - instanceprofiles + - openidconnectproviders + - policies + - roles + - users + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - iam.services.k8s.aws + resources: + - groups/status + - instanceprofiles/status + - openidconnectproviders/status + - policies/status + - roles/status + - users/status + verbs: + - get + - patch + - update + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + - fieldexports/status + verbs: + - get + - patch + - update + serviceAccountName: ack-iam-controller + deployments: + - label: + app.kubernetes.io/name: ack-iam-controller + app.kubernetes.io/part-of: ack-system + name: ack-iam-controller + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ack-iam-controller + strategy: {} + template: + metadata: + labels: + app.kubernetes.io/name: ack-iam-controller + spec: + containers: + - args: + - --aws-region + - $(AWS_REGION) + - --aws-endpoint-url + - $(AWS_ENDPOINT_URL) + - --enable-development-logging=$(ACK_ENABLE_DEVELOPMENT_LOGGING) + - --log-level + - $(ACK_LOG_LEVEL) + - --resource-tags + - $(ACK_RESOURCE_TAGS) + - --watch-namespace + - $(ACK_WATCH_NAMESPACE) + - --enable-leader-election=$(ENABLE_LEADER_ELECTION) + - --leader-election-namespace + - $(LEADER_ELECTION_NAMESPACE) + - --reconcile-default-max-concurrent-syncs + - $(RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS) + command: + - ./bin/controller + env: + - name: ACK_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: ack-iam-user-config + optional: false + - secretRef: + name: ack-iam-user-secrets + optional: true + image: public.ecr.aws/aws-controllers-k8s/iam-controller:1.3.13 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: controller + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + dnsPolicy: ClusterFirst + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: ack-iam-controller + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: ack-iam-controller + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: true + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - iam + - aws + - amazon + - ack + links: + - name: AWS Controllers for Kubernetes + url: https://github.com/aws-controllers-k8s/community + - name: Documentation + url: https://aws-controllers-k8s.github.io/community/ + - name: Amazon IAM Developer Resources + url: https://aws.amazon.com/iam/resources/ + maintainers: + - email: ack-maintainers@amazon.com + name: iam maintainer team + maturity: alpha + provider: + name: Amazon, Inc. + url: https://aws.amazon.com + version: 1.3.13 diff --git a/operators/ack-iam-controller/1.3.13/manifests/ack-iam-metrics-service_v1_service.yaml b/operators/ack-iam-controller/1.3.13/manifests/ack-iam-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..3c4c1549cc3 --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/ack-iam-metrics-service_v1_service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: ack-iam-metrics-service +spec: + ports: + - name: metricsport + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: ack-iam-controller + type: NodePort +status: + loadBalancer: {} diff --git a/operators/ack-iam-controller/1.3.13/manifests/ack-iam-reader_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-iam-controller/1.3.13/manifests/ack-iam-reader_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..c1b6978eaee --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/ack-iam-reader_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-iam-reader +rules: +- apiGroups: + - iam.services.k8s.aws + resources: + - groups + - instanceprofiles + - openidconnectproviders + - policies + - roles + - users + verbs: + - get + - list + - watch diff --git a/operators/ack-iam-controller/1.3.13/manifests/ack-iam-writer_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-iam-controller/1.3.13/manifests/ack-iam-writer_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..eb01d96977b --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/ack-iam-writer_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-iam-writer +rules: +- apiGroups: + - iam.services.k8s.aws + resources: + - groups + - instanceprofiles + - openidconnectproviders + - policies + - roles + - users + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - iam.services.k8s.aws + resources: + - groups + - instanceprofiles + - openidconnectproviders + - policies + - roles + - users + verbs: + - get + - patch + - update diff --git a/operators/ack-iam-controller/1.3.13/manifests/example_iam.services.k8s.aws_v1alpha1_role.yaml b/operators/ack-iam-controller/1.3.13/manifests/example_iam.services.k8s.aws_v1alpha1_role.yaml new file mode 100644 index 00000000000..793a169484b --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/example_iam.services.k8s.aws_v1alpha1_role.yaml @@ -0,0 +1,5 @@ +apiVersion: iam.services.k8s.aws/v1alpha1 +kind: Role +metadata: + name: example +spec: {} diff --git a/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_groups.yaml b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_groups.yaml new file mode 100644 index 00000000000..85b6a7deac7 --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_groups.yaml @@ -0,0 +1,197 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: groups.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: Group + listKind: GroupList + plural: groups + singular: group + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Group is the Schema for the Groups API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + GroupSpec defines the desired state of Group. + + Contains information about an IAM group entity. + + This data type is used as a response element in the following operations: + + * CreateGroup + + * GetGroup + + * ListGroups + properties: + inlinePolicies: + additionalProperties: + type: string + type: object + name: + description: |- + The name of the group to create. Do not include the path in this value. + + IAM user, group, role, and policy names must be unique within the account. + Names are not distinguished by case. For example, you cannot create resources + named both "MyResource" and "myresource". + type: string + path: + description: |- + The path to the group. For more information about paths, see IAM identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of either a forward slash (/) by itself + or a string that must begin and end with forward slashes. In addition, it + can contain any ASCII character from the ! (\u0021) through the DEL character + (\u007F), including most punctuation characters, digits, and upper and lowercased + letters. + type: string + policies: + items: + type: string + type: array + policyRefs: + items: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + required: + - name + type: object + status: + description: GroupStatus defines the observed state of Group + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: |- + The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the group was created. + format: date-time + type: string + groupID: + description: |- + The stable and unique string identifying the group. For more information + about IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_instanceprofiles.yaml b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_instanceprofiles.yaml new file mode 100644 index 00000000000..3e1d7ddc1b8 --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_instanceprofiles.yaml @@ -0,0 +1,211 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: instanceprofiles.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: InstanceProfile + listKind: InstanceProfileList + plural: instanceprofiles + singular: instanceprofile + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: InstanceProfile is the Schema for the InstanceProfiles API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + InstanceProfileSpec defines the desired state of InstanceProfile. + + Contains information about an instance profile. + + This data type is used as a response element in the following operations: + + * CreateInstanceProfile + + * GetInstanceProfile + + * ListInstanceProfiles + + * ListInstanceProfilesForRole + properties: + name: + description: |- + The name of the instance profile to create. + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of upper and lowercase alphanumeric characters + with no spaces. You can also include any of the following characters: _+=,.@- + type: string + path: + description: |- + The path to the instance profile. For more information about paths, see IAM + Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of either a forward slash (/) by itself + or a string that must begin and end with forward slashes. In addition, it + can contain any ASCII character from the ! (\u0021) through the DEL character + (\u007F), including most punctuation characters, digits, and upper and lowercased + letters. + type: string + role: + type: string + roleRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + tags: + description: |- + A list of tags that you want to attach to the newly created IAM instance + profile. Each tag consists of a key name and an associated value. For more + information about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + + If any one of the tags is invalid or if you exceed the allowed maximum number + of tags, then the entire request fails and the resource is not created. + items: + description: |- + A structure that represents user-provided metadata that can be associated + with an IAM resource. For more information about tagging, see Tagging IAM + resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + type: object + status: + description: InstanceProfileStatus defines the observed state of InstanceProfile + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: The date when the instance profile was created. + format: date-time + type: string + instanceProfileID: + description: |- + The stable and unique string identifying the instance profile. For more information + about IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_openidconnectproviders.yaml b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_openidconnectproviders.yaml new file mode 100644 index 00000000000..0cd63c1b9e4 --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_openidconnectproviders.yaml @@ -0,0 +1,201 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: openidconnectproviders.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: OpenIDConnectProvider + listKind: OpenIDConnectProviderList + plural: openidconnectproviders + singular: openidconnectprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OpenIDConnectProvider is the Schema for the OpenIDConnectProviders + API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OpenIDConnectProviderSpec defines the desired state of OpenIDConnectProvider. + properties: + clientIDs: + description: |- + Provides a list of client IDs, also known as audiences. When a mobile or + web app registers with an OpenID Connect provider, they establish a value + that identifies the application. This is the value that's sent as the client_id + parameter on OAuth requests. + + You can register multiple client IDs with the same provider. For example, + you might have multiple applications that use the same OIDC provider. You + cannot register more than 100 client IDs with a single IAM OIDC provider. + + There is no defined format for a client ID. The CreateOpenIDConnectProviderRequest + operation accepts client IDs up to 255 characters long. + items: + type: string + type: array + tags: + description: |- + A list of tags that you want to attach to the new IAM OpenID Connect (OIDC) + provider. Each tag consists of a key name and an associated value. For more + information about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + + If any one of the tags is invalid or if you exceed the allowed maximum number + of tags, then the entire request fails and the resource is not created. + items: + description: |- + A structure that represents user-provided metadata that can be associated + with an IAM resource. For more information about tagging, see Tagging IAM + resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + thumbprints: + description: |- + A list of server certificate thumbprints for the OpenID Connect (OIDC) identity + provider's server certificates. Typically this list includes only one entry. + However, IAM lets you have up to five thumbprints for an OIDC provider. This + lets you maintain multiple thumbprints if the identity provider is rotating + certificates. + + The server certificate thumbprint is the hex-encoded SHA-1 hash value of + the X.509 certificate used by the domain where the OpenID Connect provider + makes its keys available. It is always a 40-character string. + + You must provide at least one thumbprint when creating an IAM OIDC provider. + For example, assume that the OIDC provider is server.example.com and the + provider stores its keys at https://keys.server.example.com/openid-connect. + In that case, the thumbprint string would be the hex-encoded SHA-1 hash value + of the certificate used by https://keys.server.example.com. + + For more information about obtaining the OIDC provider thumbprint, see Obtaining + the thumbprint for an OpenID Connect provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-oidc-obtain-thumbprint.html) + in the IAM user Guide. + items: + type: string + type: array + url: + description: |- + The URL of the identity provider. The URL must begin with https:// and should + correspond to the iss claim in the provider's OpenID Connect ID tokens. Per + the OIDC standard, path components are allowed but query parameters are not. + Typically the URL consists of only a hostname, like https://server.example.org + or https://example.com. The URL should not contain a port number. + + You cannot register the same provider multiple times in a single Amazon Web + Services account. If you try to submit a URL that has already been used for + an OpenID Connect provider in the Amazon Web Services account, you will get + an error. + type: string + required: + - thumbprints + - url + type: object + status: + description: OpenIDConnectProviderStatus defines the observed state of + OpenIDConnectProvider + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_policies.yaml b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_policies.yaml new file mode 100644 index 00000000000..3412a79062d --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_policies.yaml @@ -0,0 +1,272 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: policies.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy is the Schema for the Policies API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec defines the desired state of Policy. + + Contains information about a managed policy. + + This data type is used as a response element in the CreatePolicy, GetPolicy, + and ListPolicies operations. + + For more information about managed policies, refer to Managed policies and + inline policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) + in the IAM User Guide. + properties: + description: + description: |- + A friendly description of the policy. + + Typically used to store information about the permissions defined in the + policy. For example, "Grants access to production DynamoDB tables." + + The policy description is immutable. After a value is assigned, it cannot + be changed. + type: string + name: + description: |- + The friendly name of the policy. + + IAM user, group, role, and policy names must be unique within the account. + Names are not distinguished by case. For example, you cannot create resources + named both "MyResource" and "myresource". + type: string + path: + description: |- + The path for the policy. + + For more information about paths, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of either a forward slash (/) by itself + or a string that must begin and end with forward slashes. In addition, it + can contain any ASCII character from the ! (\u0021) through the DEL character + (\u007F), including most punctuation characters, digits, and upper and lowercased + letters. + + You cannot use an asterisk (*) in the path name. + type: string + policyDocument: + description: |- + The JSON policy document that you want to use as the content for the new + policy. + + You must provide policies in JSON format in IAM. However, for CloudFormation + templates formatted in YAML, you can provide the policy in JSON or YAML format. + CloudFormation always converts a YAML policy to JSON format before submitting + it to IAM. + + The maximum length of the policy document that you can pass in this operation, + including whitespace, is listed below. To view the maximum character counts + of a managed policy with no whitespaces, see IAM and STS character quotas + (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length). + + To learn more about JSON policy grammar, see Grammar of the IAM JSON policy + language (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) + in the IAM User Guide. + + The regex pattern (http://wikipedia.org/wiki/regex) used to validate this + parameter is a string of characters consisting of the following: + + * Any printable ASCII character ranging from the space character (\u0020) + through the end of the ASCII character range + + * The printable characters in the Basic Latin and Latin-1 Supplement character + set (through \u00FF) + + * The special characters tab (\u0009), line feed (\u000A), and carriage + return (\u000D) + type: string + tags: + description: |- + A list of tags that you want to attach to the new IAM customer managed policy. + Each tag consists of a key name and an associated value. For more information + about tagging, see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + + If any one of the tags is invalid or if you exceed the allowed maximum number + of tags, then the entire request fails and the resource is not created. + items: + description: |- + A structure that represents user-provided metadata that can be associated + with an IAM resource. For more information about tagging, see Tagging IAM + resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + - policyDocument + type: object + status: + description: PolicyStatus defines the observed state of Policy + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + attachmentCount: + description: |- + The number of entities (users, groups, and roles) that the policy is attached + to. + format: int64 + type: integer + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: |- + The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the policy was created. + format: date-time + type: string + defaultVersionID: + description: The identifier for the version of the policy that is + set as the default version. + type: string + isAttachable: + description: Specifies whether the policy can be attached to an IAM + user, group, or role. + type: boolean + permissionsBoundaryUsageCount: + description: |- + The number of entities (users and roles) for which the policy is used to + set the permissions boundary. + + For more information about permissions boundaries, see Permissions boundaries + for IAM identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + format: int64 + type: integer + policyID: + description: |- + The stable and unique string identifying the policy. + + For more information about IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + type: string + updateDate: + description: |- + The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the policy was last updated. + + When a policy has only one version, this field contains the date and time + when the policy was created. When a policy has more than one version, this + field contains the date and time when the most recent policy version was + created. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_roles.yaml b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_roles.yaml new file mode 100644 index 00000000000..3cfb9d2c002 --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_roles.yaml @@ -0,0 +1,310 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: roles.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: Role + listKind: RoleList + plural: roles + singular: role + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Role is the Schema for the Roles API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + RoleSpec defines the desired state of Role. + + Contains information about an IAM role. This structure is returned as a response + element in several API operations that interact with roles. + properties: + assumeRolePolicyDocument: + description: |- + The trust relationship policy document that grants an entity permission to + assume the role. + + In IAM, you must provide a JSON policy that has been converted to a string. + However, for CloudFormation templates formatted in YAML, you can provide + the policy in JSON or YAML format. CloudFormation always converts a YAML + policy to JSON format before submitting it to IAM. + + The regex pattern (http://wikipedia.org/wiki/regex) used to validate this + parameter is a string of characters consisting of the following: + + * Any printable ASCII character ranging from the space character (\u0020) + through the end of the ASCII character range + + * The printable characters in the Basic Latin and Latin-1 Supplement character + set (through \u00FF) + + * The special characters tab (\u0009), line feed (\u000A), and carriage + return (\u000D) + + Upon success, the response includes the same trust policy in JSON format. + type: string + description: + description: A description of the role. + type: string + inlinePolicies: + additionalProperties: + type: string + type: object + maxSessionDuration: + description: |- + The maximum session duration (in seconds) that you want to set for the specified + role. If you do not specify a value for this setting, the default value of + one hour is applied. This setting can have a value from 1 hour to 12 hours. + + Anyone who assumes the role from the CLI or API can use the DurationSeconds + API parameter or the duration-seconds CLI parameter to request a longer session. + The MaxSessionDuration setting determines the maximum duration that can be + requested using the DurationSeconds parameter. If users don't specify a value + for the DurationSeconds parameter, their security credentials are valid for + one hour by default. This applies when you use the AssumeRole* API operations + or the assume-role* CLI operations but does not apply when you use those + operations to create a console URL. For more information, see Using IAM roles + (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the + IAM User Guide. + format: int64 + type: integer + name: + description: |- + The name of the role to create. + + IAM user, group, role, and policy names must be unique within the account. + Names are not distinguished by case. For example, you cannot create resources + named both "MyResource" and "myresource". + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of upper and lowercase alphanumeric characters + with no spaces. You can also include any of the following characters: _+=,.@- + type: string + path: + description: |- + The path to the role. For more information about paths, see IAM Identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of either a forward slash (/) by itself + or a string that must begin and end with forward slashes. In addition, it + can contain any ASCII character from the ! (\u0021) through the DEL character + (\u007F), including most punctuation characters, digits, and upper and lowercased + letters. + type: string + permissionsBoundary: + description: |- + The ARN of the managed policy that is used to set the permissions boundary + for the role. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string + permissionsBoundaryRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + policies: + items: + type: string + type: array + policyRefs: + items: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + tags: + description: |- + A list of tags that you want to attach to the new role. Each tag consists + of a key name and an associated value. For more information about tagging, + see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + + If any one of the tags is invalid or if you exceed the allowed maximum number + of tags, then the entire request fails and the resource is not created. + items: + description: |- + A structure that represents user-provided metadata that can be associated + with an IAM resource. For more information about tagging, see Tagging IAM + resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - assumeRolePolicyDocument + - name + type: object + status: + description: RoleStatus defines the observed state of Role + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: |- + The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the role was created. + format: date-time + type: string + roleID: + description: |- + The stable and unique string identifying the role. For more information about + IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + type: string + roleLastUsed: + description: |- + Contains information about the last time that an IAM role was used. This + includes the date and time and the Region in which the role was last used. + Activity is only reported for the trailing 400 days. This period can be shorter + if your Region began supporting these features within the last year. The + role might have been used more than 400 days ago. For more information, see + Regions where data is tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period) + in the IAM user Guide. + properties: + lastUsedDate: + format: date-time + type: string + region: + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_users.yaml b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_users.yaml new file mode 100644 index 00000000000..1e21b311671 --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/manifests/iam.services.k8s.aws_users.yaml @@ -0,0 +1,274 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: users.iam.services.k8s.aws +spec: + group: iam.services.k8s.aws + names: + kind: User + listKind: UserList + plural: users + singular: user + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: User is the Schema for the Users API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + UserSpec defines the desired state of User. + + Contains information about an IAM user entity. + + This data type is used as a response element in the following operations: + + * CreateUser + + * GetUser + + * ListUsers + properties: + inlinePolicies: + additionalProperties: + type: string + type: object + name: + description: |- + The name of the user to create. + + IAM user, group, role, and policy names must be unique within the account. + Names are not distinguished by case. For example, you cannot create resources + named both "MyResource" and "myresource". + type: string + path: + description: |- + The path for the user name. For more information about paths, see IAM identifiers + (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + + This parameter is optional. If it is not included, it defaults to a slash + (/). + + This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex)) + a string of characters consisting of either a forward slash (/) by itself + or a string that must begin and end with forward slashes. In addition, it + can contain any ASCII character from the ! (\u0021) through the DEL character + (\u007F), including most punctuation characters, digits, and upper and lowercased + letters. + type: string + permissionsBoundary: + description: |- + The ARN of the managed policy that is used to set the permissions boundary + for the user. + + A permissions boundary policy defines the maximum permissions that identity-based + policies can grant to an entity, but does not grant permissions. Permissions + boundaries do not define the maximum permissions that a resource-based policy + can grant to an entity. To learn more, see Permissions boundaries for IAM + entities (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) + in the IAM User Guide. + + For more information about policy types, see Policy types (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) + in the IAM User Guide. + type: string + permissionsBoundaryRef: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + policies: + items: + type: string + type: array + policyRefs: + items: + description: "AWSResourceReferenceWrapper provides a wrapper around + *AWSResourceReference\ntype to provide more user friendly syntax + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t + \ name: my-api" + properties: + from: + description: |- + AWSResourceReference provides all the values necessary to reference another + k8s resource for finding the identifier(Id/ARN/Name) + properties: + name: + type: string + namespace: + type: string + type: object + type: object + type: array + tags: + description: |- + A list of tags that you want to attach to the new user. Each tag consists + of a key name and an associated value. For more information about tagging, + see Tagging IAM resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + + If any one of the tags is invalid or if you exceed the allowed maximum number + of tags, then the entire request fails and the resource is not created. + items: + description: |- + A structure that represents user-provided metadata that can be associated + with an IAM resource. For more information about tagging, see Tagging IAM + resources (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - name + type: object + status: + description: UserStatus defines the observed state of User + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + createDate: + description: |- + The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the user was created. + format: date-time + type: string + passwordLastUsed: + description: |- + The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + when the user's password was last used to sign in to an Amazon Web Services + website. For a list of Amazon Web Services websites that capture a user's + last sign-in time, see the Credential reports (https://docs.aws.amazon.com/IAM/latest/UserGuide/credential-reports.html) + topic in the IAM User Guide. If a password is used more than once in a five-minute + span, only the first use is returned in this field. If the field is null + (no value), then it indicates that they never signed in with a password. + This can be because: + + * The user never had a password. + + * A password exists but has not been used since IAM started tracking this + information on October 20, 2014. + + A null value does not mean that the user never had a password. Also, if the + user does not currently have a password but had one in the past, then this + field contains the date and time the most recent password was used. + + This value is returned only in the GetUser and ListUsers operations. + format: date-time + type: string + userID: + description: |- + The stable and unique string identifying the user. For more information about + IDs, see IAM identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-iam-controller/1.3.13/metadata/annotations.yaml b/operators/ack-iam-controller/1.3.13/metadata/annotations.yaml new file mode 100644 index 00000000000..68b32039f9b --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: ack-iam-controller + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: unknown + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/ack-iam-controller/1.3.13/tests/scorecard/config.yaml b/operators/ack-iam-controller/1.3.13/tests/scorecard/config.yaml new file mode 100644 index 00000000000..382ddefd156 --- /dev/null +++ b/operators/ack-iam-controller/1.3.13/tests/scorecard/config.yaml @@ -0,0 +1,50 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}