Add secret ref to Hardware:

This will enable passing secrets securely to clients. Hegel is planned to use these fields for secure secret passing. Signed-off-by: Jacob Weinstock <[email protected]>
jacobweinstock · Apr 9, 2024 · 44c580d · 44c580d
1 parent 6c01ed2
commit 44c580d
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 1 deletion.
diff --git a/api/v1alpha1/hardware_types.go b/api/v1alpha1/hardware_types.go
@@ -150,6 +150,22 @@ type HardwareMetadata struct {
 	Instance     *MetadataInstance     `json:"instance,omitempty"`
 	Custom       *MetadataCustom       `json:"custom,omitempty"`
 	Facility     *MetadataFacility     `json:"facility,omitempty"`
+	Secret       *Secret               `json:"secret,omitempty"`
+}
+
+// Secret holds reference to the secret and signing mechanism for securely passing secrets to clients.
+type Secret struct {
+	// Ref is the SecretReference that contains secret data.
+	Ref corev1.SecretReference `json:"ref,omitempty"`
+	// Signing holds the data used to sign secrets.
+	Signing *Signing `json:"signing,omitempty"`
+}
+
+// Signing holds the data used to sign secrets. This is used to securely pass
+// secrets to clients.
+type Signing struct {
+	Algorithm string `json:"algorithm,omitempty"`
+	Key       string `json:"key,omitempty"`
 }
 
 type MetadataManufacturer struct {

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/buf.lock b/buf.lock
@@ -4,4 +4,4 @@ deps:
   - remote: buf.build
     owner: googleapis
     repository: googleapis
-    commit: ee48893a270147348e3edc6c1a03de0e
+    commit: 7a6bc1e3207144b38e9066861e1de0ff
diff --git a/config/crd/bases/tinkerbell.org_hardware.yaml b/config/crd/bases/tinkerbell.org_hardware.yaml
@@ -342,6 +342,29 @@ spec:
                         slug:
                           type: string
                       type: object
+                    secret:
+                      description: Secret holds reference to the secret and signing mechanism for securely passing secrets to clients.
+                      properties:
+                        ref:
+                          description: Ref is the SecretReference that contains secret data.
+                          properties:
+                            name:
+                              description: name is unique within a namespace to reference a secret resource.
+                              type: string
+                            namespace:
+                              description: namespace defines the space within which the secret name must be unique.
+                              type: string
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        signing:
+                          description: Signing holds the data used to sign secrets.
+                          properties:
+                            algorithm:
+                              type: string
+                            key:
+                              type: string
+                          type: object
+                      type: object
                     state:
                       default: provisioning
                       type: string