Allow hierarchical token store configuration

component/main.jsonnet

@@ -34,18 +34,31 @@ local alerts = function(name, groupName, alerts)
 
 local emergencyAccounts =
   std.map(
-    function(ea) ea { _create_binding:: super._create_binding },
+    function(ea) ea {
+      // Commodores makeMergeable unhides fields so we hide them after processing
+      _create_binding:: super._create_binding,
+      spec+: {
+        _tokenStores+:: {},
+      },
+    },
     com.generateResources(
       params.emergency_accounts,
-      function(name) kube._Object('cluster.appuio.io/v1beta1', 'EmergencyAccount', name) {
+      function(name) kube._Object('cluster.appuio.io/v1beta1', 'EmergencyAccount', name) + {
+        spec+: {
+          tokenStores+: [],
+          _tokenStores+: {},
+        },
+      } + {
         metadata+: {
           namespace: params.namespace,
         },
+        spec+: {
+          tokenStores+: std.map(function(k) self._tokenStores[k] { name: k }, std.objectFields(self._tokenStores)),
+        },
       },
     )
   );
 
-
 local emergencyAccountBindings = std.filterMap(
   function(name) std.get(params.emergency_accounts[name], '_create_binding', true),
   function(name) kube.ClusterRoleBinding(name) {

docs/modules/ROOT/pages/references/parameters.adoc

@@ -63,6 +63,21 @@ emergency_accounts:
       tokenStores:
         - name: secret
           type: secret
+      _tokenStores:
+        ext-s3:
+          type: s3
+          s3Store:
+            encryption:
+              encrypt: true
+              pgpKeys: [omitted]
+            s3:
+              endpoint: zrh.example.io
+              bucket: emergency-credentials
+              accessKeyId: nJxvJLuryTpxBVt16La4xEM5ZfAB5fIVPGEPdDrR
+              secretAccessKey: Z9rQrB2QHLEcmCVBqGi8EnKlKUfUcQ6PrfXnjenH
+            objectNameTemplate: "em-{{ .Context.ClusterId | sha256sum }}"
+            objectNameTemplateContext:
+              ClusterId: ${cluster:name}
   no-binding:
     _create_binding: false
     spec:
@@ -76,6 +91,10 @@ The value is the configuration of the `EmergencyAccount` object.
 The value has an additional key `_create_binding` which is used to control whether a `ClusterRoleBinding` to the ClusterRole defined in `cluster_admin_role` should be created.
 The default is `true`.
 
+The `_tokenStores` keys is a helper to hierarchically configure the `tokenStores` key.
+It's a dictionary where the key is the name of the `tokenStore` and the value is the configuration of the `tokenStore`.
+The resulting configurations are appended to the `tokenStores` key.
+
 See https://github.com/appuio/emergency-credentials-controller for the manifest definition.
 
 

tests/defaults.yml

@@ -14,3 +14,9 @@ parameters:
         _create_binding: false
         spec:
           validityDuration: 720h
+          tokenStores:
+            - name: secret
+              type: secret
+          _tokenStores:
+            ext-s3:
+              type: s3

tests/golden/defaults/emergency-credentials-controller/emergency-credentials-controller/20_emergencyaccounts.yaml

@@ -22,4 +22,9 @@ metadata:
   name: no-binding
   namespace: appuio-emergency-credentials-controller
 spec:
+  tokenStores:
+    - name: ext-s3
+      type: s3
+    - name: secret
+      type: secret
   validityDuration: 720h