oauth2 token exchange credentials

api/v1alpha1/connection_types.go

@@ -5,8 +5,9 @@ import (
 )
 
 type ConnectionOptions struct {
-	AccessToken       *AccessTokenAuth       `json:"accessToken,omitempty"`
-	StaticCredentials *StaticCredentialsAuth `json:"staticCredentials,omitempty"`
+	AccessToken        *AccessTokenAuth       `json:"accessToken,omitempty"`
+	StaticCredentials  *StaticCredentialsAuth `json:"staticCredentials,omitempty"`
+	Oauth2TokenExhange *Oauth2TokenExchange   `json:"oauth2TokenExchange,omitempty"`
 }
 
 type AccessTokenAuth struct {
@@ -18,6 +19,24 @@ type StaticCredentialsAuth struct {
 	Password *CredentialSource `json:"password,omitempty"`
 }
 
+type Oauth2TokenExchange struct {
+	Endpoint   string            `json:"endpoint"`
+	PrivateKey *CredentialSource `json:"privateKey"`
+	JWTHeader  *JWTHeader        `json:",inline"`
+	JWTClaims  *JWTClaims        `json:",inline"`
+}
+
+type JWTHeader struct {
+	KeyID   string `json:"keyID,omitempty"`
+	SignAlg string `json:"signAlg,omitempty"`
+}
+type JWTClaims struct {
+	Issuer   string `json:"issuer,omitempty"`
+	Subject  string `json:"subject,omitempty"`
+	Audience string `json:"audience,omitempty"`
+	ID       string `json:"id,omitempty"`
+}
+
 type CredentialSource struct {
 	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef"`
 }

deploy/ydb-operator/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.14
+version: 0.5.15
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.5.14"
+appVersion: "0.5.15"

deploy/ydb-operator/crds/storage.yaml

@@ -4858,6 +4858,50 @@ spec:
                     required:
                     - secretKeyRef
                     type: object
+                  oauth2TokenExchange:
+                    properties:
+                      audience:
+                        type: string
+                      endpoint:
+                        type: string
+                      id:
+                        type: string
+                      issuer:
+                        type: string
+                      keyID:
+                        type: string
+                      privateKey:
+                        properties:
+                          secretKeyRef:
+                            description: SecretKeySelector selects a key of a Secret.
+                            properties:
+                              key:
+                                description: The key of the secret to select from.  Must
+                                  be a valid secret key.
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                  TODO: Add other useful fields. apiVersion, kind,
+                                  uid?'
+                                type: string
+                              optional:
+                                description: Specify whether the Secret or its key
+                                  must be defined
+                                type: boolean
+                            required:
+                            - key
+                            type: object
+                        required:
+                        - secretKeyRef
+                        type: object
+                      signAlg:
+                        type: string
+                      subject:
+                        type: string
+                    required:
+                    - endpoint
+                    - privateKey
+                    type: object
                   staticCredentials:
                     properties:
                       password:

go.mod

@@ -5,15 +5,16 @@ go 1.20
 require (
 	github.com/banzaicloud/k8s-objectmatcher v1.7.0
 	github.com/go-logr/logr v1.2.4
+	github.com/golang-jwt/jwt/v4 v4.4.1
 	github.com/google/go-cmp v0.5.9
 	github.com/onsi/ginkgo/v2 v2.9.4
 	github.com/onsi/gomega v1.27.6
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.50.0
-	github.com/ydb-platform/ydb-go-genproto v0.0.0-20230801151335-81e01be38941
-	github.com/ydb-platform/ydb-go-sdk/v3 v3.53.0
-	google.golang.org/grpc v1.53.0
-	google.golang.org/protobuf v1.28.1
+	github.com/ydb-platform/ydb-go-genproto v0.0.0-20240528144234-5d5a685e41f7
+	github.com/ydb-platform/ydb-go-sdk/v3 v3.74.2
+	google.golang.org/grpc v1.57.1
+	google.golang.org/protobuf v1.33.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.26.1
 	k8s.io/apimachinery v0.26.1
@@ -38,7 +39,6 @@ require (
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
@@ -63,17 +63,17 @@ require (
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
-	golang.org/x/oauth2 v0.4.0 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/term v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.9.1 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.26.1 // indirect