1use crate::Platform;
9use serde::{Deserialize, Serialize};
10use std::collections::HashMap;
11
12#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
14#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
15#[serde(rename_all = "camelCase", deny_unknown_fields)]
16pub struct AwsServiceOverrides {
17 pub endpoints: HashMap<String, String>,
20}
21
22#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
24#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
25#[serde(rename_all = "camelCase", deny_unknown_fields)]
26pub struct AwsImpersonationConfig {
27 pub role_arn: String,
29 pub session_name: Option<String>,
31 pub duration_seconds: Option<i32>,
33 pub external_id: Option<String>,
35 #[serde(skip_serializing_if = "Option::is_none")]
39 pub target_region: Option<String>,
40}
41
42#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
44#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
45#[serde(rename_all = "camelCase", deny_unknown_fields)]
46pub struct AwsWebIdentityConfig {
47 pub role_arn: String,
49 pub session_name: Option<String>,
51 pub web_identity_token_file: String,
53 pub duration_seconds: Option<i32>,
55}
56
57#[derive(Clone, PartialEq, Eq, Serialize, Deserialize)]
59#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
60#[serde(rename_all = "camelCase", tag = "type")]
61pub enum AwsCredentials {
62 AccessKeys {
64 access_key_id: String,
66 secret_access_key: String,
68 session_token: Option<String>,
70 },
71 SessionCredentials {
73 access_key_id: String,
75 secret_access_key: String,
77 session_token: String,
79 expires_at: String,
81 },
82 Imds {
84 endpoint: Option<String>,
86 },
87 Profile {
89 name: String,
91 },
92 WebIdentity {
94 config: AwsWebIdentityConfig,
96 },
97}
98
99impl std::fmt::Debug for AwsCredentials {
100 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
101 match self {
102 AwsCredentials::AccessKeys {
103 access_key_id,
104 session_token,
105 ..
106 } => f
107 .debug_struct("AwsCredentials::AccessKeys")
108 .field("access_key_id", access_key_id)
109 .field("secret_access_key", &"[REDACTED]")
110 .field(
111 "session_token",
112 &session_token.as_ref().map(|_| "[REDACTED]"),
113 )
114 .finish(),
115 AwsCredentials::SessionCredentials {
116 access_key_id,
117 expires_at,
118 ..
119 } => f
120 .debug_struct("AwsCredentials::SessionCredentials")
121 .field("access_key_id", access_key_id)
122 .field("secret_access_key", &"[REDACTED]")
123 .field("session_token", &"[REDACTED]")
124 .field("expires_at", expires_at)
125 .finish(),
126 AwsCredentials::Imds { endpoint } => f
127 .debug_struct("AwsCredentials::Imds")
128 .field("endpoint", endpoint)
129 .finish(),
130 AwsCredentials::Profile { name } => f
131 .debug_struct("AwsCredentials::Profile")
132 .field("name", name)
133 .finish(),
134 AwsCredentials::WebIdentity { config } => f
135 .debug_struct("AwsCredentials::WebIdentity")
136 .field("config", config)
137 .finish(),
138 }
139 }
140}
141
142#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
144#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
145#[serde(rename_all = "camelCase", deny_unknown_fields)]
146pub struct AwsClientConfig {
147 pub account_id: String,
149 pub region: String,
151 pub credentials: AwsCredentials,
153 #[serde(skip_serializing_if = "Option::is_none")]
155 pub service_overrides: Option<AwsServiceOverrides>,
156}
157
158#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
160#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
161#[serde(rename_all = "camelCase", deny_unknown_fields)]
162pub struct GcpServiceOverrides {
163 pub endpoints: HashMap<String, String>,
166}
167
168#[derive(Clone, PartialEq, Eq, Serialize, Deserialize)]
170#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
171#[serde(rename_all = "camelCase", tag = "type")]
172pub enum GcpCredentials {
173 AccessToken { token: String },
175
176 ImpersonatedServiceAccount {
178 #[cfg_attr(feature = "openapi", schema(value_type = Object))]
180 source: Box<GcpClientConfig>,
181 config: GcpImpersonationConfig,
183 },
184
185 ServiceAccountKey { json: String },
188
189 ServiceMetadata,
191
192 ProjectedServiceAccount {
194 token_file: String,
196 service_account_email: String,
198 },
199
200 ExternalAccount {
202 audience: String,
204 subject_token_type: String,
206 token_url: String,
208 credential_source_file: String,
210 service_account_impersonation_url: Option<String>,
212 },
213
214 AuthorizedUser {
217 client_id: String,
219 client_secret: String,
221 refresh_token: String,
223 },
224}
225
226impl std::fmt::Debug for GcpCredentials {
227 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
228 match self {
229 GcpCredentials::AccessToken { .. } => f
230 .debug_struct("GcpCredentials::AccessToken")
231 .field("token", &"[REDACTED]")
232 .finish(),
233 GcpCredentials::ImpersonatedServiceAccount { source, config } => f
234 .debug_struct("GcpCredentials::ImpersonatedServiceAccount")
235 .field("source_project_id", &source.project_id)
236 .field("source_region", &source.region)
237 .field("service_account_email", &config.service_account_email)
238 .finish(),
239 GcpCredentials::ServiceAccountKey { .. } => f
240 .debug_struct("GcpCredentials::ServiceAccountKey")
241 .field("json", &"[REDACTED]")
242 .finish(),
243 GcpCredentials::ServiceMetadata => write!(f, "GcpCredentials::ServiceMetadata"),
244 GcpCredentials::ProjectedServiceAccount {
245 token_file,
246 service_account_email,
247 } => f
248 .debug_struct("GcpCredentials::ProjectedServiceAccount")
249 .field("token_file", token_file)
250 .field("service_account_email", service_account_email)
251 .finish(),
252 GcpCredentials::ExternalAccount {
253 audience,
254 subject_token_type,
255 token_url,
256 credential_source_file,
257 service_account_impersonation_url,
258 } => f
259 .debug_struct("GcpCredentials::ExternalAccount")
260 .field("audience", audience)
261 .field("subject_token_type", subject_token_type)
262 .field("token_url", token_url)
263 .field("credential_source_file", credential_source_file)
264 .field(
265 "service_account_impersonation_url",
266 service_account_impersonation_url,
267 )
268 .finish(),
269 GcpCredentials::AuthorizedUser { client_id, .. } => f
270 .debug_struct("GcpCredentials::AuthorizedUser")
271 .field("client_id", client_id)
272 .field("client_secret", &"[REDACTED]")
273 .field("refresh_token", &"[REDACTED]")
274 .finish(),
275 }
276 }
277}
278
279#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
281#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
282#[serde(rename_all = "camelCase", deny_unknown_fields)]
283pub struct GcpImpersonationConfig {
284 pub service_account_email: String,
286 pub scopes: Vec<String>,
288 pub delegates: Option<Vec<String>>,
290 pub lifetime: Option<String>,
292 #[serde(skip_serializing_if = "Option::is_none")]
295 pub target_project_id: Option<String>,
296 #[serde(skip_serializing_if = "Option::is_none")]
299 pub target_region: Option<String>,
300}
301
302impl Default for GcpImpersonationConfig {
303 fn default() -> Self {
304 Self {
305 service_account_email: String::new(),
306 scopes: vec!["https://www.googleapis.com/auth/cloud-platform".to_string()],
307 delegates: None,
308 lifetime: Some("3600s".to_string()),
309 target_project_id: None,
310 target_region: None,
311 }
312 }
313}
314
315#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
317#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
318#[serde(rename_all = "camelCase", deny_unknown_fields)]
319pub struct GcpClientConfig {
320 pub project_id: String,
322 pub region: String,
324 pub credentials: GcpCredentials,
326 #[serde(skip_serializing_if = "Option::is_none")]
328 pub service_overrides: Option<GcpServiceOverrides>,
329 #[serde(default, skip_serializing_if = "Option::is_none")]
332 pub project_number: Option<String>,
333}
334
335#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
337#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
338#[serde(rename_all = "camelCase", deny_unknown_fields)]
339pub struct AzureServiceOverrides {
340 pub endpoints: HashMap<String, String>,
343}
344
345#[derive(Clone, PartialEq, Eq, Serialize, Deserialize)]
347#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
348#[serde(rename_all = "camelCase", tag = "type")]
349pub enum AzureCredentials {
350 ServicePrincipal {
352 client_id: String,
354 client_secret: String,
356 },
357 AccessToken {
359 token: String,
361 },
362 VmManagedIdentity {
364 client_id: String,
366 identity_endpoint: Option<String>,
368 },
369 WorkloadIdentity {
371 client_id: String,
373 tenant_id: String,
375 federated_token_file: String,
377 authority_host: String,
379 },
380 ManagedIdentity {
383 client_id: String,
385 identity_endpoint: String,
387 identity_header: String,
389 },
390}
391
392impl std::fmt::Debug for AzureCredentials {
393 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
394 match self {
395 AzureCredentials::ServicePrincipal { client_id, .. } => f
396 .debug_struct("AzureCredentials::ServicePrincipal")
397 .field("client_id", client_id)
398 .field("client_secret", &"[REDACTED]")
399 .finish(),
400 AzureCredentials::AccessToken { .. } => f
401 .debug_struct("AzureCredentials::AccessToken")
402 .field("token", &"[REDACTED]")
403 .finish(),
404 AzureCredentials::VmManagedIdentity {
405 client_id,
406 identity_endpoint,
407 } => f
408 .debug_struct("AzureCredentials::VmManagedIdentity")
409 .field("client_id", client_id)
410 .field("identity_endpoint", identity_endpoint)
411 .finish(),
412 AzureCredentials::WorkloadIdentity {
413 client_id,
414 tenant_id,
415 federated_token_file,
416 authority_host,
417 } => f
418 .debug_struct("AzureCredentials::WorkloadIdentity")
419 .field("client_id", client_id)
420 .field("tenant_id", tenant_id)
421 .field("federated_token_file", federated_token_file)
422 .field("authority_host", authority_host)
423 .finish(),
424 AzureCredentials::ManagedIdentity {
425 client_id,
426 identity_endpoint,
427 ..
428 } => f
429 .debug_struct("AzureCredentials::ManagedIdentity")
430 .field("client_id", client_id)
431 .field("identity_endpoint", identity_endpoint)
432 .field("identity_header", &"[REDACTED]")
433 .finish(),
434 }
435 }
436}
437
438#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
440#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
441#[serde(rename_all = "camelCase", deny_unknown_fields)]
442pub struct AzureImpersonationConfig {
443 pub client_id: String,
445 pub scope: String,
447 pub tenant_id: Option<String>,
449 #[serde(skip_serializing_if = "Option::is_none")]
452 pub target_subscription_id: Option<String>,
453 #[serde(skip_serializing_if = "Option::is_none")]
456 pub target_region: Option<String>,
457}
458
459impl Default for AzureImpersonationConfig {
460 fn default() -> Self {
461 Self {
462 client_id: String::new(),
463 scope: "https://management.azure.com/.default".to_string(),
464 tenant_id: None,
465 target_subscription_id: None,
466 target_region: None,
467 }
468 }
469}
470
471#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
473#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
474#[serde(rename_all = "camelCase", deny_unknown_fields)]
475pub struct AzureClientConfig {
476 pub subscription_id: String,
478 pub tenant_id: String,
480 pub region: Option<String>,
482 pub credentials: AzureCredentials,
484 #[serde(skip_serializing_if = "Option::is_none")]
486 pub service_overrides: Option<AzureServiceOverrides>,
487}
488
489#[derive(Clone, PartialEq, Eq, Serialize, Deserialize)]
491#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
492#[serde(rename_all = "camelCase", tag = "mode")]
493pub enum KubernetesClientConfig {
494 InCluster {
496 #[serde(skip_serializing_if = "Option::is_none")]
498 namespace: Option<String>,
499 #[serde(skip_serializing_if = "Option::is_none")]
501 additional_headers: Option<HashMap<String, String>>,
502 },
503 Kubeconfig {
505 #[serde(skip_serializing_if = "Option::is_none")]
507 kubeconfig_path: Option<String>,
508 #[serde(skip_serializing_if = "Option::is_none")]
510 context: Option<String>,
511 #[serde(skip_serializing_if = "Option::is_none")]
513 cluster: Option<String>,
514 #[serde(skip_serializing_if = "Option::is_none")]
516 user: Option<String>,
517 #[serde(skip_serializing_if = "Option::is_none")]
519 namespace: Option<String>,
520 #[serde(skip_serializing_if = "Option::is_none")]
522 additional_headers: Option<HashMap<String, String>>,
523 },
524 Manual {
526 server_url: String,
528 certificate_authority_data: Option<String>,
530 insecure_skip_tls_verify: Option<bool>,
532 client_certificate_data: Option<String>,
534 client_key_data: Option<String>,
536 token: Option<String>,
538 username: Option<String>,
540 password: Option<String>,
542 namespace: Option<String>,
544 additional_headers: HashMap<String, String>,
546 },
547}
548
549impl std::fmt::Debug for KubernetesClientConfig {
550 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
551 match self {
552 KubernetesClientConfig::InCluster {
553 namespace,
554 additional_headers,
555 } => f
556 .debug_struct("KubernetesClientConfig::InCluster")
557 .field("namespace", namespace)
558 .field("additional_headers", additional_headers)
559 .finish(),
560 KubernetesClientConfig::Kubeconfig {
561 kubeconfig_path,
562 context,
563 cluster,
564 user,
565 namespace,
566 additional_headers,
567 } => f
568 .debug_struct("KubernetesClientConfig::Kubeconfig")
569 .field("kubeconfig_path", kubeconfig_path)
570 .field("context", context)
571 .field("cluster", cluster)
572 .field("user", user)
573 .field("namespace", namespace)
574 .field("additional_headers", additional_headers)
575 .finish(),
576 KubernetesClientConfig::Manual {
577 server_url,
578 certificate_authority_data,
579 insecure_skip_tls_verify,
580 client_certificate_data,
581 client_key_data,
582 token,
583 username,
584 password,
585 namespace,
586 additional_headers,
587 } => f
588 .debug_struct("KubernetesClientConfig::Manual")
589 .field("server_url", server_url)
590 .field("certificate_authority_data", certificate_authority_data)
591 .field("insecure_skip_tls_verify", insecure_skip_tls_verify)
592 .field("client_certificate_data", client_certificate_data)
593 .field(
594 "client_key_data",
595 &client_key_data.as_ref().map(|_| "[REDACTED]"),
596 )
597 .field("token", &token.as_ref().map(|_| "[REDACTED]"))
598 .field("username", username)
599 .field("password", &password.as_ref().map(|_| "[REDACTED]"))
600 .field("namespace", namespace)
601 .field("additional_headers", additional_headers)
602 .finish(),
603 }
604 }
605}
606
607#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
609#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
610#[serde(rename_all = "camelCase", tag = "platform")]
611pub enum ImpersonationConfig {
612 Aws(AwsImpersonationConfig),
613 Gcp(GcpImpersonationConfig),
614 Azure(AzureImpersonationConfig),
615 }
617
618#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
620#[cfg_attr(feature = "openapi", derive(utoipa::ToSchema))]
621#[serde(rename_all = "camelCase", tag = "platform")]
622pub enum ClientConfig {
623 Aws(Box<AwsClientConfig>),
624 Gcp(Box<GcpClientConfig>),
625 Azure(Box<AzureClientConfig>),
626 Kubernetes(Box<KubernetesClientConfig>),
627 KubernetesCloud {
628 kubernetes: Box<KubernetesClientConfig>,
629 #[cfg_attr(feature = "openapi", schema(value_type = Object))]
630 cloud: Box<ClientConfig>,
631 },
632 Local {
633 state_directory: String,
635 },
636 #[serde(skip)]
638 Machines,
639 #[serde(skip)]
641 Test,
642}
643
644impl ClientConfig {
645 pub fn platform(&self) -> Platform {
647 match self {
648 ClientConfig::Aws(_) => Platform::Aws,
649 ClientConfig::Gcp(_) => Platform::Gcp,
650 ClientConfig::Azure(_) => Platform::Azure,
651 ClientConfig::Kubernetes(_) => Platform::Kubernetes,
652 ClientConfig::KubernetesCloud { .. } => Platform::Kubernetes,
653 ClientConfig::Local { .. } => Platform::Local,
654 ClientConfig::Machines => Platform::Machines,
655 ClientConfig::Test => Platform::Test,
656 }
657 }
658
659 pub fn config_for_platform(&self, platform: Platform) -> Option<ClientConfig> {
660 match self {
661 ClientConfig::KubernetesCloud { cloud, .. } => {
662 if platform == Platform::Kubernetes {
663 Some(self.clone())
664 } else if cloud.platform() == platform {
665 Some((**cloud).clone())
666 } else {
667 None
668 }
669 }
670 config if config.platform() == platform => Some(config.clone()),
671 _ => None,
672 }
673 }
674
675 pub fn aws_config(&self) -> Option<&AwsClientConfig> {
677 match self {
678 ClientConfig::Aws(config) => Some(config),
679 ClientConfig::KubernetesCloud { cloud, .. } => cloud.aws_config(),
680 _ => None,
681 }
682 }
683
684 pub fn gcp_config(&self) -> Option<&GcpClientConfig> {
686 match self {
687 ClientConfig::Gcp(config) => Some(config),
688 ClientConfig::KubernetesCloud { cloud, .. } => cloud.gcp_config(),
689 _ => None,
690 }
691 }
692
693 pub fn azure_config(&self) -> Option<&AzureClientConfig> {
695 match self {
696 ClientConfig::Azure(config) => Some(config),
697 ClientConfig::KubernetesCloud { cloud, .. } => cloud.azure_config(),
698 _ => None,
699 }
700 }
701
702 pub fn kubernetes_config(&self) -> Option<&KubernetesClientConfig> {
704 match self {
705 ClientConfig::Kubernetes(config) => Some(config),
706 ClientConfig::KubernetesCloud { kubernetes, .. } => Some(kubernetes),
707 _ => None,
708 }
709 }
710}
711
712#[cfg(test)]
713mod tests {
714 use super::{
715 AwsClientConfig, AwsCredentials, AzureClientConfig, AzureCredentials, ClientConfig,
716 GcpClientConfig, GcpCredentials, KubernetesClientConfig,
717 };
718
719 #[test]
720 fn kubernetes_cloud_exposes_nested_aws_config() {
721 let config = ClientConfig::KubernetesCloud {
722 kubernetes: Box::new(KubernetesClientConfig::InCluster {
723 namespace: Some("test".to_string()),
724 additional_headers: None,
725 }),
726 cloud: Box::new(ClientConfig::Aws(Box::new(AwsClientConfig {
727 account_id: "123456789012".to_string(),
728 region: "us-east-2".to_string(),
729 credentials: AwsCredentials::AccessKeys {
730 access_key_id: "access".to_string(),
731 secret_access_key: "secret".to_string(),
732 session_token: None,
733 },
734 service_overrides: None,
735 }))),
736 };
737
738 assert_eq!(config.platform(), crate::Platform::Kubernetes);
739 assert!(config.kubernetes_config().is_some());
740 assert_eq!(config.aws_config().unwrap().region, "us-east-2");
741 assert!(config.gcp_config().is_none());
742 assert!(config.azure_config().is_none());
743 }
744
745 #[test]
746 fn kubernetes_cloud_preserves_cloud_config_for_kubernetes_controllers() {
747 let config = ClientConfig::KubernetesCloud {
748 kubernetes: Box::new(KubernetesClientConfig::InCluster {
749 namespace: Some("test".to_string()),
750 additional_headers: None,
751 }),
752 cloud: Box::new(ClientConfig::Aws(Box::new(AwsClientConfig {
753 account_id: "123456789012".to_string(),
754 region: "us-east-2".to_string(),
755 credentials: AwsCredentials::AccessKeys {
756 access_key_id: "access".to_string(),
757 secret_access_key: "secret".to_string(),
758 session_token: None,
759 },
760 service_overrides: None,
761 }))),
762 };
763
764 let kubernetes_config = config
765 .config_for_platform(crate::Platform::Kubernetes)
766 .unwrap();
767
768 assert!(matches!(
769 kubernetes_config,
770 ClientConfig::KubernetesCloud { .. }
771 ));
772 assert!(kubernetes_config.kubernetes_config().is_some());
773 assert_eq!(kubernetes_config.aws_config().unwrap().region, "us-east-2");
774 }
775
776 #[test]
777 fn kubernetes_cloud_exposes_nested_gcp_config() {
778 let config = ClientConfig::KubernetesCloud {
779 kubernetes: Box::new(KubernetesClientConfig::InCluster {
780 namespace: Some("test".to_string()),
781 additional_headers: None,
782 }),
783 cloud: Box::new(ClientConfig::Gcp(Box::new(GcpClientConfig {
784 project_id: "project".to_string(),
785 region: "us-central1".to_string(),
786 credentials: GcpCredentials::AccessToken {
787 token: "token".to_string(),
788 },
789 service_overrides: None,
790 project_number: None,
791 }))),
792 };
793
794 assert_eq!(config.gcp_config().unwrap().project_id, "project");
795 assert!(config.aws_config().is_none());
796 assert!(config.azure_config().is_none());
797 }
798
799 #[test]
800 fn kubernetes_cloud_exposes_nested_azure_config() {
801 let config = ClientConfig::KubernetesCloud {
802 kubernetes: Box::new(KubernetesClientConfig::InCluster {
803 namespace: Some("test".to_string()),
804 additional_headers: None,
805 }),
806 cloud: Box::new(ClientConfig::Azure(Box::new(AzureClientConfig {
807 subscription_id: "sub".to_string(),
808 tenant_id: "tenant".to_string(),
809 region: Some("eastus".to_string()),
810 credentials: AzureCredentials::AccessToken {
811 token: "token".to_string(),
812 },
813 service_overrides: None,
814 }))),
815 };
816
817 assert_eq!(config.azure_config().unwrap().subscription_id, "sub");
818 assert!(config.aws_config().is_none());
819 assert!(config.gcp_config().is_none());
820 }
821}