redhat-cop
diff --git a/‎api/v1alpha1/authenginemount_types.go
Lines changed: 14 additions & 6 deletions b/‎api/v1alpha1/authenginemount_types.go
Lines changed: 14 additions & 6 deletions
diff --git a/‎api/v1alpha1/databasesecretengineconfig_types.go
Lines changed: 13 additions & 2 deletions b/‎api/v1alpha1/databasesecretengineconfig_types.go
Lines changed: 13 additions & 2 deletions
diff --git a/‎api/v1alpha1/databasesecretenginerole_types.go
Lines changed: 9 additions & 1 deletion b/‎api/v1alpha1/databasesecretenginerole_types.go
Lines changed: 9 additions & 1 deletion
diff --git a/‎api/v1alpha1/databasesecretenginestaticrole_types.go
Lines changed: 9 additions & 1 deletion b/‎api/v1alpha1/databasesecretenginestaticrole_types.go
Lines changed: 9 additions & 1 deletion
diff --git a/‎api/v1alpha1/githubsecretenginerole_types.go
Lines changed: 9 additions & 1 deletion b/‎api/v1alpha1/githubsecretenginerole_types.go
Lines changed: 9 additions & 1 deletion
diff --git a/‎api/v1alpha1/group_types.go
Lines changed: 9 additions & 1 deletion b/‎api/v1alpha1/group_types.go
Lines changed: 9 additions & 1 deletion
diff --git a/‎api/v1alpha1/groupalias_types.go
Lines changed: 11 additions & 3 deletions b/‎api/v1alpha1/groupalias_types.go
Lines changed: 11 additions & 3 deletions
diff --git a/‎api/v1alpha1/kubernetesauthengineconfig_types.go
Lines changed: 8 additions & 0 deletions b/‎api/v1alpha1/kubernetesauthengineconfig_types.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎api/v1alpha1/kubernetesauthenginerole_types.go
Lines changed: 8 additions & 0 deletions b/‎api/v1alpha1/kubernetesauthenginerole_types.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎api/v1alpha1/kubernetessecretenginerole_types.go
Lines changed: 9 additions & 1 deletion b/‎api/v1alpha1/kubernetessecretenginerole_types.go
Lines changed: 9 additions & 1 deletion
@@ -46,6 +46,18 @@ type AuthEngineMountSpec struct {
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path /sys/auth/{[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
+}
+
+func (d *AuthEngineMount) GetPath() string {
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Spec.Name)
+	}
+	return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Name)
 }
 
 type AuthMount struct {
@@ -83,7 +95,7 @@ type AuthMountConfig struct {
 	// AuditNonHMACRequestKeys list of keys that will not be HMAC'd by audit devices in the request data object.
 	// +kubebuilder:validation:Optional
 	// +listType=set
-	// kubebuilder:validation:UniqueItems=true
+	// kubebuilder:validation:UniqueItems:=true
 	AuditNonHMACRequestKeys []string `json:"auditNonHMACRequestKeys,omitempty"`
 
 	// AuditNonHMACResponseKeys list of keys that will not be HMAC'd by audit devices in the response data object.
@@ -101,7 +113,7 @@ type AuthMountConfig struct {
 	// PassthroughRequestHeaders list of headers to whitelist and pass from the request to the plugin.
 	// +kubebuilder:validation:Optional
 	// +listType=set
-	// kubebuilder:validation:UniqueItems=true
+	// kubebuilder:validation:UniqueItems:=true
 	PassthroughRequestHeaders []string `json:"passthroughRequestHeaders,omitempty"`
 
 	// AllowedResponseHeaders list of headers to whitelist, allowing a plugin to include them in the response.
@@ -161,10 +173,6 @@ func (d *AuthEngineMount) GetKubeAuthConfiguration() *vaultutils.KubeAuthConfigu
 	return &d.Spec.Authentication
 }
 
-func (d *AuthEngineMount) GetPath() string {
-	return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Name)
-}
-
 func (d *AuthEngineMount) GetPayload() map[string]interface{} {
 	return d.Spec.toMap()
 }
 
@@ -56,6 +56,11 @@ type DatabaseSecretEngineConfigSpec struct {
 	// RootCredentials specifies how to retrieve the credentials for this DatabaseEngine connection.
 	// +kubebuilder:validation:Required
 	RootCredentials vaultutils.RootCredentialConfig `json:"rootCredentials,omitempty"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 var _ vaultutils.VaultObject = &DatabaseSecretEngineConfig{}
@@ -65,10 +70,16 @@ func (d *DatabaseSecretEngineConfig) GetVaultConnection() *vaultutils.VaultConne
 }
 
 func (d *DatabaseSecretEngineConfig) GetPath() string {
-	return string(d.Spec.Path) + "/" + "config" + "/" + d.Name
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "config" + "/" + d.Spec.Name)
+	}
+	return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "config" + "/" + d.Name)
 }
 func (d *DatabaseSecretEngineConfig) GetRootPasswordRotationPath() string {
-	return string(d.Spec.Path) + "/" + "rotate-root" + "/" + d.Name
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "rotate-root" + "/" + d.Spec.Name)
+	}
+	return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "rotate-root" + "/" + d.Name)
 }
 func (d *DatabaseSecretEngineConfig) GetPayload() map[string]interface{} {
 	return d.Spec.toMap()
 
@@ -48,6 +48,11 @@ type DatabaseSecretEngineRoleSpec struct {
 	Path vaultutils.Path `json:"path,omitempty"`
 
 	DBSERole `json:",inline"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 var _ vaultutils.VaultObject = &DatabaseSecretEngineRole{}
@@ -59,7 +64,10 @@ func (d *DatabaseSecretEngineRole) GetVaultConnection() *vaultutils.VaultConnect
 }
 
 func (d *DatabaseSecretEngineRole) GetPath() string {
-	return string(d.Spec.Path) + "/" + "roles" + "/" + d.Name
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "roles" + "/" + d.Spec.Name)
+	}
+	return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "roles" + "/" + d.Name)
 }
 func (d *DatabaseSecretEngineRole) GetPayload() map[string]interface{} {
 	return d.Spec.toMap()
 
@@ -48,6 +48,11 @@ type DatabaseSecretEngineStaticRoleSpec struct {
 	Path vaultutils.Path `json:"path,omitempty"`
 
 	DBSEStaticRole `json:",inline"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 type DBSEStaticRole struct {
@@ -140,7 +145,10 @@ func (d *DatabaseSecretEngineStaticRole) GetVaultConnection() *vaultutils.VaultC
 }
 
 func (d *DatabaseSecretEngineStaticRole) GetPath() string {
-	return string(d.Spec.Path) + "/" + "static-roles" + "/" + d.Name
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "static-roles" + "/" + d.Spec.Name)
+	}
+	return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "static-roles" + "/" + d.Name)
 }
 func (d *DatabaseSecretEngineStaticRole) GetPayload() map[string]interface{} {
 	return d.Spec.toMap()
 
@@ -51,6 +51,11 @@ type GitHubSecretEngineRoleSpec struct {
 	// When crafting Vault policy, hyper security sensitive organisations may wish to favour repository_ids (GitHub repository IDs are immutable) instead of repositories (GitHub repository names are mutable).
 	// +kubebuilder:validation:Optional
 	PermissionSet `json:",inline"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 type PermissionSet struct {
@@ -93,7 +98,10 @@ func (d *GitHubSecretEngineRole) GetVaultConnection() *vaultutils.VaultConnectio
 }
 
 func (d *GitHubSecretEngineRole) GetPath() string {
-	return string(d.Spec.Path) + "/" + "permissionset" + "/" + d.Name
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "permissionset" + "/" + d.Spec.Name)
+	}
+	return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "permissionset" + "/" + d.Name)
 }
 func (d *GitHubSecretEngineRole) GetPayload() map[string]interface{} {
 	return d.Spec.toMap()
 
@@ -39,6 +39,11 @@ type GroupSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	GroupConfig `json:",inline"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 type GroupConfig struct {
@@ -123,7 +128,10 @@ func (d *Group) GetVaultConnection() *vaultutils.VaultConnection {
 }
 
 func (d *Group) GetPath() string {
-	return string("/identity/group/name/" + d.Name)
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath(string("/identity/group/name/" + d.Spec.Name))
+	}
+	return vaultutils.CleansePath(string("/identity/group/name/" + d.Name))
 }
 
 func (d *Group) GetPayload() map[string]interface{} {
 
@@ -51,6 +51,11 @@ type GroupAliasSpec struct {
 	retrievedAliasID string `json:"-"`
 
 	retrievedName string `json:"-"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 type GroupAliasConfig struct {
@@ -157,13 +162,16 @@ func (d *GroupAlias) PrepareInternalValues(context context.Context, object clien
 		return err
 	}
 	d.Spec.retrievedCanonicalID = secret.Data["id"].(string)
-
-	d.Spec.retrievedName = d.Name
+	if d.Spec.Name != "" {
+		d.Spec.retrievedName = d.Spec.Name
+	} else {
+		d.Spec.retrievedName = d.Name
+	}
 
 	if d.Status.ID == "" {
 		//we have to create the group alias as unfortunately this api is asymmetric
 		payload := map[string]interface{}{
-			"name":           d.Name,
+			"name":           map[bool]string{true: d.Spec.Name, false: d.Name}[d.Spec.Name != ""],
 			"mount_accessor": d.Spec.retrievedMountAccessor,
 			"canonical_id":   d.Spec.retrievedCanonicalID,
 		}
 
@@ -52,13 +52,21 @@ type KubernetesAuthEngineConfigSpec struct {
 	// TokenReviewerServiceAccount A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set, the JWT submitted in the login payload will be used to access the Kubernetes TokenReview API.
 	// +kubebuilder:validation:Optional
 	TokenReviewerServiceAccount *corev1.LocalObjectReference `json:"tokenReviewerServiceAccount,omitempty"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 func (d *KubernetesAuthEngineConfig) GetVaultConnection() *vaultutils.VaultConnection {
 	return d.Spec.Connection
 }
 
 func (d *KubernetesAuthEngineConfig) GetPath() string {
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/" + d.Spec.Name + "/config")
+	}
 	return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/" + d.Name + "/config")
 }
 
 
@@ -53,6 +53,11 @@ type KubernetesAuthEngineRoleSpec struct {
 	// TargetNamespaces specifies how to retrieve the namespaces bound to this Vault role.
 	// +kubebuilder:validation:Required
 	TargetNamespaces vaultutils.TargetNamespaceConfig `json:"targetNamespaces,omitempty"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 var _ vaultutils.VaultObject = &KubernetesAuthEngineRole{}
@@ -63,6 +68,9 @@ func (d *KubernetesAuthEngineRole) GetVaultConnection() *vaultutils.VaultConnect
 }
 
 func (d *KubernetesAuthEngineRole) GetPath() string {
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/role/" + d.Spec.Name)
+	}
 	return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/role/" + d.Name)
 }
 func (d *KubernetesAuthEngineRole) GetPayload() map[string]interface{} {
 
@@ -50,14 +50,22 @@ type KubernetesSecretEngineRoleSpec struct {
 	TargetNamespaces vaultutils.TargetNamespaceConfig `json:"targetNamespaces,omitempty"`
 
 	KubeSERole `json:",inline"`
+
+	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
+	Name string `json:"name,omitempty"`
 }
 
 var _ vaultutils.VaultObject = &KubernetesSecretEngineRole{}
 
 var _ vaultutils.ConditionsAware = &KubernetesSecretEngineRole{}
 
 func (d *KubernetesSecretEngineRole) GetPath() string {
-	return string(d.Spec.Path) + "/" + "roles" + "/" + d.Name
+	if d.Spec.Name != "" {
+		return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "roles" + "/" + d.Spec.Name)
+	}
+	return vaultutils.CleansePath(string(d.Spec.Path) + "/" + "roles" + "/" + d.Name)
 }
 func (d *KubernetesSecretEngineRole) GetPayload() map[string]interface{} {
 	return d.Spec.toMap()
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,11 @@ type GroupSpec struct {`
`39`	`39`	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
`40`	`40`
`41`	`41`	GroupConfig `json:",inline"`
	`42`	`+`
	`43`	`+ // The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}`
	`44`	`+ // +kubebuilder:validation:Optional`
	`45`	+ // +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
	`46`	+ Name string `json:"name,omitempty"`
`42`	`47`	`}`
`43`	`48`
`44`	`49`	`type GroupConfig struct {`
`@@ -123,7 +128,10 @@ func (d Group) GetVaultConnection() vaultutils.VaultConnection {`
`123`	`128`	`}`
`124`	`129`
`125`	`130`	`func (d *Group) GetPath() string {`
`126`		`- return string("/identity/group/name/" + d.Name)`
	`131`	`+ if d.Spec.Name != "" {`
	`132`	`+ return vaultutils.CleansePath(string("/identity/group/name/" + d.Spec.Name))`
	`133`	`+ }`
	`134`	`+ return vaultutils.CleansePath(string("/identity/group/name/" + d.Name))`
`127`	`135`	`}`
`128`	`136`
`129`	`137`	`func (d *Group) GetPayload() map[string]interface{} {`
Original file line number	Diff line number	Diff line change
`@@ -52,13 +52,21 @@ type KubernetesAuthEngineConfigSpec struct {`
`52`	`52`	`// TokenReviewerServiceAccount A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set, the JWT submitted in the login payload will be used to access the Kubernetes TokenReview API.`
`53`	`53`	`// +kubebuilder:validation:Optional`
`54`	`54`	TokenReviewerServiceAccount *corev1.LocalObjectReference `json:"tokenReviewerServiceAccount,omitempty"`
	`55`	`+`
	`56`	`+ // The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}`
	`57`	`+ // +kubebuilder:validation:Optional`
	`58`	+ // +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
	`59`	+ Name string `json:"name,omitempty"`
`55`	`60`	`}`
`56`	`61`
`57`	`62`	`func (d KubernetesAuthEngineConfig) GetVaultConnection() vaultutils.VaultConnection {`
`58`	`63`	`return d.Spec.Connection`
`59`	`64`	`}`
`60`	`65`
`61`	`66`	`func (d *KubernetesAuthEngineConfig) GetPath() string {`
	`67`	`+ if d.Spec.Name != "" {`
	`68`	`+ return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/" + d.Spec.Name + "/config")`
	`69`	`+ }`
`62`	`70`	`return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/" + d.Name + "/config")`
`63`	`71`	`}`
`64`	`72`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,11 @@ type KubernetesAuthEngineRoleSpec struct {`
`53`	`53`	`// TargetNamespaces specifies how to retrieve the namespaces bound to this Vault role.`
`54`	`54`	`// +kubebuilder:validation:Required`
`55`	`55`	TargetNamespaces vaultutils.TargetNamespaceConfig `json:"targetNamespaces,omitempty"`
	`56`	`+`
	`57`	`+ // The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}`
	`58`	`+ // +kubebuilder:validation:Optional`
	`59`	+ // +kubebuilder:validation:Pattern:=`[a-z0-9]([-a-z0-9]*[a-z0-9])?`
	`60`	+ Name string `json:"name,omitempty"`
`56`	`61`	`}`
`57`	`62`
`58`	`63`	`var _ vaultutils.VaultObject = &KubernetesAuthEngineRole{}`
`@@ -63,6 +68,9 @@ func (d KubernetesAuthEngineRole) GetVaultConnection() vaultutils.VaultConnect`
`63`	`68`	`}`
`64`	`69`
`65`	`70`	`func (d *KubernetesAuthEngineRole) GetPath() string {`
	`71`	`+ if d.Spec.Name != "" {`
	`72`	`+ return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/role/" + d.Spec.Name)`
	`73`	`+ }`
`66`	`74`	`return vaultutils.CleansePath("auth/" + string(d.Spec.Path) + "/role/" + d.Name)`
`67`	`75`	`}`
`68`	`76`	`func (d *KubernetesAuthEngineRole) GetPayload() map[string]interface{} {`