Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 6 additions & 7 deletions api/ferrvault/v1alpha1/connectionspec_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ type ConnectionSpec struct {
// Auth via `tokenSecretRef` (`ffclust_…` / `fft_…`) or `oidc`.
//
// - `ferrvault` — new FerrVault SaaS, flat `/v1/operator/secrets/reveal`
// surface. Auth via a Service-Account Token (`sat_…`) bound to a
// surface. Auth via a Service-Account Token (`fvsat_…`) bound to a
// specific vault. `organization` is ignored; the `project` field on
// each secret is ignored too — the SAT scopes everything.
//
Expand Down Expand Up @@ -91,8 +91,11 @@ type OIDCAuth struct {
TokenPath string `json:"tokenPath,omitempty"`

// Audience the projected ServiceAccount token declares in its `aud`
// claim. Must match `EXPECTED_AUDIENCE` on the FerrVault side
// (`https://ferrflow.com`). Defaults to that value when omitted.
// claim. Must match the audience the target API is configured to
// expect: for `ferrvault` mode, the FerrVault API's
// `FERRVAULT_JWT_AUDIENCE` (unset there = no audience check); for
// `cloud` mode, the FerrFlow API's expected audience. Leave empty
// when the target performs no audience validation.
//
// +optional
Audience string `json:"audience,omitempty"`
Expand All @@ -109,10 +112,6 @@ const (
// a single source of truth.
const DefaultTokenPath = "/var/run/secrets/ferrvault/token"

// DefaultAudience matches the FerrVault API's `EXPECTED_AUDIENCE` constant.
// Changing this is a coordinated breaking change across both repos.
const DefaultAudience = "https://ferrflow.com"

// ResolvedMode returns the effective Mode for the connection spec, applying
// the `ferrvault` default for empty values so callers don't have to repeat it.
func (s ConnectionSpec) ResolvedMode() string {
Expand Down
2 changes: 1 addition & 1 deletion config/samples/ferrvault_v1alpha1_ferrvaultconnection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ metadata:
namespace: my-app
type: Opaque
stringData:
token: sat_REPLACE_ME_WITH_VALUE_FROM_FERRVAULT_UI
token: fvsat_REPLACE_ME_WITH_VALUE_FROM_FERRVAULT_UI
2 changes: 1 addition & 1 deletion internal/ferrvault/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,7 @@ type vaultRevealResponse struct {
// RevealFromVault fetches `names` from the named FerrVault vault via the new
// `POST /v1/operator/secrets/reveal` endpoint. `names` is optional — pass an
// empty slice to pull every secret the SAT can see. The token is interpreted
// as a SAT (`sat_…`) and bound server-side to a specific vault; `vault` here
// as a SAT (`fvsat_…`) and bound server-side to a specific vault; `vault` here
// must match the SAT's vault scope or the API responds 403.
//
// The result is mapped onto `BulkRevealResponse` so the controller can stay
Expand Down
Loading