diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 4016be4..1dbde7a 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -944,6 +944,7 @@ func (in *OrganizationList) DeepCopyObject() runtime.Object { func (in *OrganizationRef) DeepCopyInto(out *OrganizationRef) { *out = *in out.ObjectReference = in.ObjectReference + out.ConnectionRef = in.ConnectionRef } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrganizationRef. @@ -1108,6 +1109,7 @@ func (in *ProjectList) DeepCopyObject() runtime.Object { func (in *ProjectRef) DeepCopyInto(out *ProjectRef) { *out = *in out.ObjectReference = in.ObjectReference + out.ConnectionRef = in.ConnectionRef } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProjectRef. @@ -1190,6 +1192,21 @@ func (in *ProjectStatus) DeepCopy() *ProjectStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ResolvedReference) DeepCopyInto(out *ResolvedReference) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolvedReference. +func (in *ResolvedReference) DeepCopy() *ResolvedReference { + if in == nil { + return nil + } + out := new(ResolvedReference) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Resource) DeepCopyInto(out *Resource) { *out = *in diff --git a/config/crd/bases/zitadel.github.com_actions.yaml b/config/crd/bases/zitadel.github.com_actions.yaml index aefe614..930ed79 100644 --- a/config/crd/bases/zitadel.github.com_actions.yaml +++ b/config/crd/bases/zitadel.github.com_actions.yaml @@ -50,6 +50,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -60,6 +102,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -87,6 +131,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' script: type: string timeout: diff --git a/config/crd/bases/zitadel.github.com_apiapps.yaml b/config/crd/bases/zitadel.github.com_apiapps.yaml index 600cfa3..03be1d8 100644 --- a/config/crd/bases/zitadel.github.com_apiapps.yaml +++ b/config/crd/bases/zitadel.github.com_apiapps.yaml @@ -52,6 +52,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -62,6 +104,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -89,6 +133,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' required: - authMethodType - projectRef diff --git a/config/crd/bases/zitadel.github.com_flows.yaml b/config/crd/bases/zitadel.github.com_flows.yaml index 668c757..f3c087f 100644 --- a/config/crd/bases/zitadel.github.com_flows.yaml +++ b/config/crd/bases/zitadel.github.com_flows.yaml @@ -99,6 +99,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -109,6 +151,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -136,6 +180,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' triggerType: enum: - TRIGGER_TYPE_POST_AUTHENTICATION diff --git a/config/crd/bases/zitadel.github.com_machineusers.yaml b/config/crd/bases/zitadel.github.com_machineusers.yaml index d74c715..d0cc34f 100644 --- a/config/crd/bases/zitadel.github.com_machineusers.yaml +++ b/config/crd/bases/zitadel.github.com_machineusers.yaml @@ -48,10 +48,54 @@ spec: items: properties: projectRef: + description: ProjectRef can reference a project via K8s object + or direct Zitadel ID properties: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -62,6 +106,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -89,6 +135,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or + zitadel ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' roleKeys: items: type: string @@ -158,6 +210,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -168,6 +262,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -195,6 +291,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' username: type: string required: diff --git a/config/crd/bases/zitadel.github.com_oidcapps.yaml b/config/crd/bases/zitadel.github.com_oidcapps.yaml index 90b79a2..26426d0 100644 --- a/config/crd/bases/zitadel.github.com_oidcapps.yaml +++ b/config/crd/bases/zitadel.github.com_oidcapps.yaml @@ -98,6 +98,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -108,6 +150,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -135,6 +179,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' redirectUris: items: type: string @@ -232,8 +282,6 @@ spec: - type type: object type: array - required: - - appId type: object type: object served: true diff --git a/config/crd/bases/zitadel.github.com_projects.yaml b/config/crd/bases/zitadel.github.com_projects.yaml index 01f1eea..73763e4 100644 --- a/config/crd/bases/zitadel.github.com_projects.yaml +++ b/config/crd/bases/zitadel.github.com_projects.yaml @@ -43,10 +43,54 @@ spec: items: properties: organizationRef: + description: OrganizationRef can reference an organization via + K8s object or direct Zitadel ID properties: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -57,6 +101,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -84,6 +130,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or + zitadel ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' roleKeys: items: type: string @@ -104,6 +156,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -114,6 +208,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -141,6 +237,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' projectName: type: string projectRoleAssertion: diff --git a/ops/chart/crds/action-crd.yaml b/ops/chart/crds/action-crd.yaml index d4f7667..2798fd8 100644 --- a/ops/chart/crds/action-crd.yaml +++ b/ops/chart/crds/action-crd.yaml @@ -49,6 +49,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -59,6 +101,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -86,6 +130,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' script: type: string timeout: diff --git a/ops/chart/crds/apiapp-crd.yaml b/ops/chart/crds/apiapp-crd.yaml index 3115837..db5eac1 100644 --- a/ops/chart/crds/apiapp-crd.yaml +++ b/ops/chart/crds/apiapp-crd.yaml @@ -51,6 +51,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -61,6 +103,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -88,6 +132,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' required: - authMethodType - projectRef diff --git a/ops/chart/crds/flow-crd.yaml b/ops/chart/crds/flow-crd.yaml index d893200..46b795e 100644 --- a/ops/chart/crds/flow-crd.yaml +++ b/ops/chart/crds/flow-crd.yaml @@ -98,6 +98,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -108,6 +150,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -135,6 +179,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' triggerType: enum: - TRIGGER_TYPE_POST_AUTHENTICATION diff --git a/ops/chart/crds/machineuser-crd.yaml b/ops/chart/crds/machineuser-crd.yaml index d3aa46e..54e5ec9 100644 --- a/ops/chart/crds/machineuser-crd.yaml +++ b/ops/chart/crds/machineuser-crd.yaml @@ -47,10 +47,54 @@ spec: items: properties: projectRef: + description: ProjectRef can reference a project via K8s object + or direct Zitadel ID properties: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -61,6 +105,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -88,6 +134,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or + zitadel ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' roleKeys: items: type: string @@ -157,6 +209,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -167,6 +261,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -194,6 +290,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' username: type: string required: diff --git a/ops/chart/crds/oidcapp-crd.yaml b/ops/chart/crds/oidcapp-crd.yaml index 6c14017..8348ce5 100644 --- a/ops/chart/crds/oidcapp-crd.yaml +++ b/ops/chart/crds/oidcapp-crd.yaml @@ -97,6 +97,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -107,6 +149,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -134,6 +178,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' redirectUris: items: type: string @@ -231,8 +281,6 @@ spec: - type type: object type: array - required: - - appId type: object type: object served: true diff --git a/ops/chart/crds/project-crd.yaml b/ops/chart/crds/project-crd.yaml index bbecd29..532d8a3 100644 --- a/ops/chart/crds/project-crd.yaml +++ b/ops/chart/crds/project-crd.yaml @@ -42,10 +42,54 @@ spec: items: properties: organizationRef: + description: OrganizationRef can reference an organization via + K8s object or direct Zitadel ID properties: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -56,6 +100,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -83,6 +129,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or + zitadel ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' roleKeys: items: type: string @@ -103,6 +155,48 @@ spec: apiVersion: description: API version of the referent. type: string + connectionRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic fieldPath: description: |- If referring to a piece of an object instead of an entire object, this string @@ -113,6 +207,8 @@ spec: index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. type: string + id: + type: string kind: description: |- Kind of the referent. @@ -140,6 +236,12 @@ spec: type: string type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: must provide either k8s object reference (name) or zitadel + ID reference (id), but not both + rule: has(self.name) == has(self.id) + - message: zitadel ID reference requires connectionRef.name + rule: '!has(self.id) || has(self.connectionRef.name)' projectName: type: string projectRoleAssertion: