Drop kubevault.dev/apimachinery/client dependency

go.mod

@@ -22,6 +22,7 @@ require (
 	gomodules.xyz/x v0.0.17
 	google.golang.org/api v0.191.0
 	google.golang.org/protobuf v1.36.10
+	k8s.io/api v0.34.3
 	k8s.io/apimachinery v0.34.3
 	k8s.io/cli-runtime v0.34.3
 	k8s.io/client-go v0.34.3
@@ -30,6 +31,7 @@ require (
 	kmodules.xyz/client-go v0.34.3
 	kmodules.xyz/custom-resources v0.34.0
 	kubevault.dev/apimachinery v0.25.0-rc.1
+	sigs.k8s.io/controller-runtime v0.22.4
 	sigs.k8s.io/secrets-store-csi-driver v1.5.1
 	sigs.k8s.io/yaml v1.6.0
 )
@@ -180,7 +182,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.34.3 // indirect
 	k8s.io/apiextensions-apiserver v0.34.3 // indirect
 	k8s.io/apiserver v0.34.3 // indirect
 	k8s.io/component-base v0.34.3 // indirect
@@ -189,7 +190,6 @@ require (
 	kmodules.xyz/apiversion v0.2.0 // indirect
 	kmodules.xyz/monitoring-agent-api v0.34.0 // indirect
 	kmodules.xyz/offshoot-api v0.34.0 // indirect
-	sigs.k8s.io/controller-runtime v0.22.4 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect

go.sum

@@ -661,8 +661,6 @@ golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 h1:LLhsEBxRTBLuKlQxFBYUO
 golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
 gomodules.xyz/clock v0.0.0-20200817085942-06523dba733f h1:hTyhR4r+tj1Uq7/PpFxLTzbeA0LhMVp7bEYfhkzFjdY=
 gomodules.xyz/clock v0.0.0-20200817085942-06523dba733f/go.mod h1:K3m7N+nBOlf91/tpv8REUGwsAgaKFwElQCuiLhm12AQ=
-gomodules.xyz/encoding v0.0.8 h1:r2Koq0BJ4HQCCjPTHuti0ItJDXqWJoLRHcm14Ayyp10=
-gomodules.xyz/encoding v0.0.8/go.mod h1:tn9zeeM1vHMxwVIwJQo7gGfJSCOklnU11tZ+3gSbj08=
 gomodules.xyz/flags v0.1.3 h1:jQ06+EfmoMv5NvjXvJon03dOhLU+FF0TQMWN7I6qpzs=
 gomodules.xyz/flags v0.1.3/go.mod h1:e+kvBLnqdEWGG670SKOYag1CXStM2Slrxq01OIK3tFs=
 gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
@@ -680,8 +678,6 @@ gomodules.xyz/runtime v0.3.0/go.mod h1:lJuiayVYjz8LWDwKhbDqFzUrXqr1btLbJS5/lKDz1
 gomodules.xyz/sets v0.2.0/go.mod h1:jKgNp01/iDs+svOWXaPk5cKP3VXy0mWUoTF/ore+aMc=
 gomodules.xyz/sets v0.2.1 h1:vK3oUWoGVrZKLDKO/bzEo/ucHFdCE7+DxWPeWxK72KQ=
 gomodules.xyz/sets v0.2.1/go.mod h1:jKgNp01/iDs+svOWXaPk5cKP3VXy0mWUoTF/ore+aMc=
-gomodules.xyz/testing v0.0.4 h1:XGKt4B64mBe7P9kPR0Rz1nCQpWoSpBEFdTGkfU1RLe4=
-gomodules.xyz/testing v0.0.4/go.mod h1:hD6aXtv9eVycPwS01zv+QTl5BrK2DXQgr6bHqnrW+44=
 gomodules.xyz/wait v0.2.0 h1:HnRIh+cvIrrKIFaXoYznCVVirv2/2xu3KzjSzsQmYAY=
 gomodules.xyz/wait v0.2.0/go.mod h1:g/epKzZQuCqgvhzhaoG4cSBNGHqnOrhFR4Q7szDJ1JM=
 gomodules.xyz/x v0.0.17 h1:Ik3wf0suCMiYPY0miFUh+q8BpjsUHc/7zvANbFViBQA=

pkg/cmds/generate.go

@@ -23,19 +23,24 @@ import (
 	"os"
 	"strings"
 
-	enginecs "kubevault.dev/apimachinery/client/clientset/versioned/typed/engine/v1alpha1"
-	vaultcs "kubevault.dev/apimachinery/client/clientset/versioned/typed/kubevault/v1alpha2"
-	policycs "kubevault.dev/apimachinery/client/clientset/versioned/typed/policy/v1alpha1"
+	engineapi "kubevault.dev/apimachinery/apis/engine/v1alpha1"
+	vaultv1a2 "kubevault.dev/apimachinery/apis/kubevault/v1alpha2"
+	policyapi "kubevault.dev/apimachinery/apis/policy/v1alpha1"
 	"kubevault.dev/cli/pkg/generate"
 
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/kubernetes"
+	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	secretsstore "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 	"sigs.k8s.io/yaml"
 )
@@ -165,14 +170,14 @@ func (o *generateOption) generate(clientGetter genericclioptions.RESTClientGette
 		return errors.Wrap(err, "failed to read kubeconfig")
 	}
 
-	engineClient, vaultClient, policyClient, kubeClient, err := initClients(cfg)
+	kc, kubeClient, err := initClients(cfg)
 	if err != nil {
 		return err
 	}
 
 	spc := NewSecretProviderClassOptions(o, namespace, ObjectNames[0])
 
-	objectsList, err := spc.generateSecretObjects(engineClient, vaultClient, policyClient, kubeClient)
+	objectsList, err := spc.generateSecretObjects(kc, kubeClient)
 	if err != nil {
 		return err
 	}
@@ -184,9 +189,9 @@ func (o *generateOption) generate(clientGetter genericclioptions.RESTClientGette
 	return nil
 }
 
-func (s *SecretProviderClassOptions) generateSecretObjects(engineClient *enginecs.EngineV1alpha1Client, vaultClient *vaultcs.KubevaultV1alpha2Client, policyClient *policycs.PolicyV1alpha1Client, kubeClient *kubernetes.Clientset) (string, error) {
-	if engineClient == nil || vaultClient == nil || policyClient == nil || kubeClient == nil {
-		return "", errors.New("engineClient/vaultClient/policyClient/kubeClient is nil")
+func (s *SecretProviderClassOptions) generateSecretObjects(kc client.Client, kubeClient *kubernetes.Clientset) (string, error) {
+	if kc == nil || kubeClient == nil {
+		return "", errors.New("kc/kubeClient is nil")
 	}
 
 	var srbNs, srbName string
@@ -199,8 +204,8 @@ func (s *SecretProviderClassOptions) generateSecretObjects(engineClient *enginec
 		srbName = srb[1]
 	}
 
-	srbObj, err := engineClient.SecretRoleBindings(srbNs).Get(context.TODO(), srbName, metav1.GetOptions{})
-	if err != nil {
+	srbObj := &engineapi.SecretRoleBinding{}
+	if err := kc.Get(context.TODO(), types.NamespacedName{Namespace: srbNs, Name: srbName}, srbObj); err != nil {
 		return "", err
 	}
 
@@ -220,7 +225,7 @@ func (s *SecretProviderClassOptions) generateSecretObjects(engineClient *enginec
 		return "", errors.Errorf("%s/%s not found in secretrolebinding", role[0], role[1])
 	}
 
-	gen, err := generate.NewGenerator(role, srbObj, s.options.keys, engineClient, vaultClient, policyClient, kubeClient)
+	gen, err := generate.NewGenerator(role, srbObj, s.options.keys, kc, kubeClient)
 	if err != nil {
 		return "", err
 	}
@@ -290,26 +295,22 @@ func (s *SecretProviderClassOptions) generateSecretProviderClass(objectsList str
 	return nil
 }
 
-func initClients(cfg *rest.Config) (*enginecs.EngineV1alpha1Client, *vaultcs.KubevaultV1alpha2Client, *policycs.PolicyV1alpha1Client, *kubernetes.Clientset, error) {
-	engineClient, err := enginecs.NewForConfig(cfg)
-	if err != nil {
-		return nil, nil, nil, nil, err
-	}
-
-	vaultClient, err := vaultcs.NewForConfig(cfg)
-	if err != nil {
-		return nil, nil, nil, nil, err
-	}
+func initClients(cfg *rest.Config) (client.Client, *kubernetes.Clientset, error) {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(clientsetscheme.AddToScheme(scheme))
+	utilruntime.Must(engineapi.AddToScheme(scheme))
+	utilruntime.Must(vaultv1a2.AddToScheme(scheme))
+	utilruntime.Must(policyapi.AddToScheme(scheme))
 
-	policyClient, err := policycs.NewForConfig(cfg)
+	kc, err := client.New(cfg, client.Options{Scheme: scheme})
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, err
 	}
 
 	kubeClient, err := kubernetes.NewForConfig(cfg)
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, err
 	}
 
-	return engineClient, vaultClient, policyClient, kubeClient, nil
+	return kc, kubeClient, nil
 }

pkg/cmds/root.go

@@ -17,7 +17,9 @@ limitations under the License.
 package cmds
 
 import (
-	"kubevault.dev/apimachinery/client/clientset/versioned/scheme"
+	engineapi "kubevault.dev/apimachinery/apis/engine/v1alpha1"
+	vaultv1a2 "kubevault.dev/apimachinery/apis/kubevault/v1alpha2"
+	policyapi "kubevault.dev/apimachinery/apis/policy/v1alpha1"
 
 	"github.com/spf13/cobra"
 	v "gomodules.xyz/x/version"
@@ -34,7 +36,9 @@ func NewRootCmd() *cobra.Command {
 		Short:             `KubeVault cli by AppsCode`,
 		DisableAutoGenTag: true,
 		PersistentPreRun: func(c *cobra.Command, args []string) {
-			utilruntime.Must(scheme.AddToScheme(clientsetscheme.Scheme))
+			utilruntime.Must(engineapi.AddToScheme(clientsetscheme.Scheme))
+			utilruntime.Must(vaultv1a2.AddToScheme(clientsetscheme.Scheme))
+			utilruntime.Must(policyapi.AddToScheme(clientsetscheme.Scheme))
 			utilruntime.Must(appcatscheme.AddToScheme(clientsetscheme.Scheme))
 		},
 	}

pkg/cmds/root_token.go

@@ -22,7 +22,7 @@ import (
 	"os"
 	"strings"
 
-	vaultapi "kubevault.dev/apimachinery/apis/kubevault/v1alpha2"
+	vaultv1a2 "kubevault.dev/apimachinery/apis/kubevault/v1alpha2"
 	token_key_store "kubevault.dev/cli/pkg/token-keys-store"
 
 	"github.com/hashicorp/vault/sdk/helper/xor"
@@ -215,8 +215,8 @@ Examples:
 func (o *getTokenOptions) get(clientGetter genericclioptions.RESTClientGetter) error {
 	var resourceName string
 	switch ResourceName {
-	case strings.ToLower(vaultapi.ResourceVaultServer), strings.ToLower(vaultapi.ResourceVaultServers):
-		resourceName = vaultapi.ResourceVaultServer
+	case strings.ToLower(vaultv1a2.ResourceVaultServer), strings.ToLower(vaultv1a2.ResourceVaultServers):
+		resourceName = vaultv1a2.ResourceVaultServer
 	default:
 		return errors.New(fmt.Sprintf("unknown/unsupported resource %s", ResourceName))
 	}
@@ -255,8 +255,8 @@ func (o *getTokenOptions) get(clientGetter genericclioptions.RESTClientGetter) e
 
 		var err2 error
 		switch info.Object.(type) {
-		case *vaultapi.VaultServer:
-			obj := info.Object.(*vaultapi.VaultServer)
+		case *vaultv1a2.VaultServer:
+			obj := info.Object.(*vaultv1a2.VaultServer)
 			err2 = o.getRootToken(obj, kubeClient)
 		default:
 			err2 = errors.New("unknown/unsupported type")
@@ -266,7 +266,7 @@ func (o *getTokenOptions) get(clientGetter genericclioptions.RESTClientGetter) e
 	return err
 }
 
-func (o *getTokenOptions) getRootToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) error {
+func (o *getTokenOptions) getRootToken(vs *vaultv1a2.VaultServer, kubeClient kubernetes.Interface) error {
 	ti, err := token_key_store.NewTokenKeyInterface(vs, kubeClient)
 	if err != nil {
 		return err
@@ -301,8 +301,8 @@ func (o *getTokenOptions) getRootToken(vs *vaultapi.VaultServer, kubeClient kube
 func (o *delTokenOptions) del(clientGetter genericclioptions.RESTClientGetter) error {
 	var resourceName string
 	switch ResourceName {
-	case strings.ToLower(vaultapi.ResourceVaultServer), strings.ToLower(vaultapi.ResourceVaultServers):
-		resourceName = vaultapi.ResourceVaultServer
+	case strings.ToLower(vaultv1a2.ResourceVaultServer), strings.ToLower(vaultv1a2.ResourceVaultServers):
+		resourceName = vaultv1a2.ResourceVaultServer
 	default:
 		return errors.New(fmt.Sprintf("unknown/unsupported resource %s", ResourceName))
 	}
@@ -341,8 +341,8 @@ func (o *delTokenOptions) del(clientGetter genericclioptions.RESTClientGetter) e
 
 		var err2 error
 		switch info.Object.(type) {
-		case *vaultapi.VaultServer:
-			obj := info.Object.(*vaultapi.VaultServer)
+		case *vaultv1a2.VaultServer:
+			obj := info.Object.(*vaultv1a2.VaultServer)
 			err2 = o.deleteRootToken(obj, kubeClient)
 		default:
 			err2 = errors.New("unknown/unsupported type")
@@ -352,7 +352,7 @@ func (o *delTokenOptions) del(clientGetter genericclioptions.RESTClientGetter) e
 	return err
 }
 
-func (o *delTokenOptions) deleteRootToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) error {
+func (o *delTokenOptions) deleteRootToken(vs *vaultv1a2.VaultServer, kubeClient kubernetes.Interface) error {
 	ti, err := token_key_store.NewTokenKeyInterface(vs, kubeClient)
 	if err != nil {
 		return err
@@ -380,8 +380,8 @@ func (o *delTokenOptions) deleteRootToken(vs *vaultapi.VaultServer, kubeClient k
 func (o *setTokenOptions) set(clientGetter genericclioptions.RESTClientGetter) error {
 	var resourceName string
 	switch ResourceName {
-	case strings.ToLower(vaultapi.ResourceVaultServer), strings.ToLower(vaultapi.ResourceVaultServers):
-		resourceName = vaultapi.ResourceVaultServer
+	case strings.ToLower(vaultv1a2.ResourceVaultServer), strings.ToLower(vaultv1a2.ResourceVaultServers):
+		resourceName = vaultv1a2.ResourceVaultServer
 	default:
 		return errors.New(fmt.Sprintf("unknown/unsupported resource %s", ResourceName))
 	}
@@ -420,8 +420,8 @@ func (o *setTokenOptions) set(clientGetter genericclioptions.RESTClientGetter) e
 
 		var err2 error
 		switch info.Object.(type) {
-		case *vaultapi.VaultServer:
-			obj := info.Object.(*vaultapi.VaultServer)
+		case *vaultv1a2.VaultServer:
+			obj := info.Object.(*vaultv1a2.VaultServer)
 			err2 = o.setRootToken(obj, kubeClient)
 		default:
 			err2 = errors.New("unknown/unsupported type")
@@ -464,8 +464,8 @@ Examples:
 func syncRootToken(clientGetter genericclioptions.RESTClientGetter) error {
 	var resourceName string
 	switch ResourceName {
-	case strings.ToLower(vaultapi.ResourceVaultServer), strings.ToLower(vaultapi.ResourceVaultServers):
-		resourceName = vaultapi.ResourceVaultServer
+	case strings.ToLower(vaultv1a2.ResourceVaultServer), strings.ToLower(vaultv1a2.ResourceVaultServers):
+		resourceName = vaultv1a2.ResourceVaultServer
 	default:
 		return errors.New(fmt.Sprintf("unknown/unsupported resource %s", ResourceName))
 	}
@@ -504,8 +504,8 @@ func syncRootToken(clientGetter genericclioptions.RESTClientGetter) error {
 
 		var err2 error
 		switch info.Object.(type) {
-		case *vaultapi.VaultServer:
-			obj := info.Object.(*vaultapi.VaultServer)
+		case *vaultv1a2.VaultServer:
+			obj := info.Object.(*vaultv1a2.VaultServer)
 			err2 = syncToken(obj, kubeClient)
 		default:
 			err2 = errors.New("unknown/unsupported type")
@@ -515,7 +515,7 @@ func syncRootToken(clientGetter genericclioptions.RESTClientGetter) error {
 	return err
 }
 
-func syncToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) error {
+func syncToken(vs *vaultv1a2.VaultServer, kubeClient kubernetes.Interface) error {
 	ti, err := token_key_store.NewTokenKeyInterface(vs, kubeClient)
 	if err != nil {
 		return err
@@ -552,7 +552,7 @@ func syncToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) error
 	return nil
 }
 
-func (o *setTokenOptions) setRootToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) error {
+func (o *setTokenOptions) setRootToken(vs *vaultv1a2.VaultServer, kubeClient kubernetes.Interface) error {
 	ti, err := token_key_store.NewTokenKeyInterface(vs, kubeClient)
 	if err != nil {
 		return err
@@ -619,8 +619,8 @@ Examples:
 func generateRootToken(clientGetter genericclioptions.RESTClientGetter) error {
 	var resourceName string
 	switch ResourceName {
-	case strings.ToLower(vaultapi.ResourceVaultServer), strings.ToLower(vaultapi.ResourceVaultServers):
-		resourceName = vaultapi.ResourceVaultServer
+	case strings.ToLower(vaultv1a2.ResourceVaultServer), strings.ToLower(vaultv1a2.ResourceVaultServers):
+		resourceName = vaultv1a2.ResourceVaultServer
 	default:
 		return errors.New(fmt.Sprintf("unknown/unsupported resource %s", ResourceName))
 	}
@@ -660,8 +660,8 @@ func generateRootToken(clientGetter genericclioptions.RESTClientGetter) error {
 		var token string
 		var err2 error
 		switch info.Object.(type) {
-		case *vaultapi.VaultServer:
-			obj := info.Object.(*vaultapi.VaultServer)
+		case *vaultv1a2.VaultServer:
+			obj := info.Object.(*vaultv1a2.VaultServer)
 			token, err2 = generateToken(obj, kubeClient)
 			if err2 == nil && len(token) > 0 {
 				fmt.Println("generated root-token:", token)
@@ -703,7 +703,7 @@ Examples:
 	return cmd
 }
 
-func generateToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) (string, error) {
+func generateToken(vs *vaultv1a2.VaultServer, kubeClient kubernetes.Interface) (string, error) {
 	// For root-token generation
 	// - threshold number of unseal-keys must be present
 	keys, err := getKeys(vs, kubeClient)
@@ -754,8 +754,8 @@ func generateToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) (s
 func rotateRootToken(clientGetter genericclioptions.RESTClientGetter) error {
 	var resourceName string
 	switch ResourceName {
-	case strings.ToLower(vaultapi.ResourceVaultServer), strings.ToLower(vaultapi.ResourceVaultServers):
-		resourceName = vaultapi.ResourceVaultServer
+	case strings.ToLower(vaultv1a2.ResourceVaultServer), strings.ToLower(vaultv1a2.ResourceVaultServers):
+		resourceName = vaultv1a2.ResourceVaultServer
 	default:
 		return errors.New(fmt.Sprintf("unknown/unsupported resource %s", ResourceName))
 	}
@@ -794,8 +794,8 @@ func rotateRootToken(clientGetter genericclioptions.RESTClientGetter) error {
 
 		var err2 error
 		switch info.Object.(type) {
-		case *vaultapi.VaultServer:
-			obj := info.Object.(*vaultapi.VaultServer)
+		case *vaultv1a2.VaultServer:
+			obj := info.Object.(*vaultv1a2.VaultServer)
 			err2 = rotateToken(obj, kubeClient)
 		default:
 			err2 = errors.New("unknown/unsupported type")
@@ -805,7 +805,7 @@ func rotateRootToken(clientGetter genericclioptions.RESTClientGetter) error {
 	return err
 }
 
-func rotateToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) error {
+func rotateToken(vs *vaultv1a2.VaultServer, kubeClient kubernetes.Interface) error {
 	// For root-token rotation:
 	// - new root-token generation must be successful
 	// - old root-token must be present
@@ -857,7 +857,7 @@ func rotateToken(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) erro
 	return nil
 }
 
-func getKeys(vs *vaultapi.VaultServer, kubeClient kubernetes.Interface) ([]string, error) {
+func getKeys(vs *vaultv1a2.VaultServer, kubeClient kubernetes.Interface) ([]string, error) {
 	ti, err := token_key_store.NewTokenKeyInterface(vs, kubeClient)
 	if err != nil {
 		return nil, err