---
apiVersion: compositions.azuread.inuit.io/v1alpha1
kind: OauthApplication
metadata:
  name: helloupbound
spec:
  applicationName: Hello Upbound
  enabled: true

---
apiVersion: compositions.azuread.inuit.io/v1alpha1
kind: ClientCertificate
metadata:
  name: helloupbound-certificate01
  namespace: default
spec:
  type: "AsymmetricX509Cert"
  encoding: "pem"
  startDate: "2025-08-26T09:05:28Z"  # Optional - Extracted from certificate
  endDate: "2026-08-26T09:05:28Z"    # Optional - Extracted from certificate
  # endDateRelative: "8712h"  # 1 year validity
  cert: |-
    -----BEGIN CERTIFICATE-----
    MIIDrTCCApWgAwIBAgIUamFCIm30UdV5nV8cbI6GFYpVX4swDQYJKoZIhvcNAQEL
    BQAwZjELMAkGA1UEBhMCQVUxDDAKBgNVBAgMA1ZJQzESMBAGA1UEBwwJTWVsYm91
    cm5lMQ0wCwYDVQQKDAREZW1vMQswCQYDVQQLDAJJVDEZMBcGA1UEAwwQZGVtby5l
    eGFtcGxlLmNvbTAeFw0yNTA4MjYwOTA1MjhaFw0yNjA4MjYwOTA1MjhaMGYxCzAJ
    BgNVBAYTAkFVMQwwCgYDVQQIDANWSUMxEjAQBgNVBAcMCU1lbGJvdXJuZTENMAsG
    A1UECgwERGVtbzELMAkGA1UECwwCSVQxGTAXBgNVBAMMEGRlbW8uZXhhbXBsZS5j
    b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrBZ5/h+Z3S0rOKu3e
    QeYJ3PBUemolKlnGjGJzhUPJ9tDOYznyrqLF69QTYghFZO0T3PpSxzjgpvAf9mw8
    TymRUujyHd+H3PgIJYISzia6eJAFD5lJZATNGPoIU/31iT/6wt42L3tXM8NvRsR7
    9gssxydkABbgsX+Aipo1ooJF10G+E1d4SAQ0TtXZFmDwA0qpwbLwc5JYiMPcUnyG
    zTbtGII66ECE/ZiE47kFt6tzjwsOzSlKXd7NV+C4a7P6F9EVmTxD+SBM9WCC0wWj
    lfXyZKur32JqvrlLJkXBiXuuaqhxWjTkDy2OALQjj1Gir/yKWxiQiRiYlTa9I+kZ
    OCrpAgMBAAGjUzBRMB0GA1UdDgQWBBQZiliWDrRDgX6mJAqMbV2Ml6/BfTAfBgNV
    HSMEGDAWgBQZiliWDrRDgX6mJAqMbV2Ml6/BfTAPBgNVHRMBAf8EBTADAQH/MA0G
    CSqGSIb3DQEBCwUAA4IBAQBZTDjcqSBUzn0GL06NEAuj1h0fUaQqsqRChZ8vmnmO
    NuBNNLz7SK0++nEWj65Yc+oyu+5c8bkXoRYmhxaWFmwELFM29ms7Yl9hr35IEINc
    UaU5diQbjHWPgcNIzFM+PQEkw/ZJo9RnhaG42oqiUDEGK4fOPYsTOFM0GbI/syA1
    jNfZNnX85wRfRySXy7tyYc7TyDINkW8xpKy/VRq3+asMM06jF6kK2Ai+Xn+n9Qth
    qi9iXEl3rvcysO7Uh8JnhnsGWWIt6XI3CiwLx65dXtIUi/UvBcgA5N4weNZViVSL
    ncBeaumJUMhcuDmpdKS9/bN75hFR4KuHzSk41t+my8UN
    -----END CERTIFICATE-----

---
apiVersion: compositions.azuread.inuit.io/v1alpha1
kind: ClientCertificate
metadata:
  name: helloupbound-certificate02
  namespace: default
spec:
  type: "AsymmetricX509Cert"
  encoding: "pem"
  startDate: "2025-08-26T09:05:28Z"  # Optional - Extracted from certificate
  endDate: "2026-08-26T09:05:28Z"    # Optional - Extracted from certificate
  # endDateRelative: "8712h"  # Optional - 1 year validity
  cert: |-
    -----BEGIN CERTIFICATE-----
    MIIDrTCCApWgAwIBAgIUamFCIm30UdV5nV8cbI6GFYpVX4swDQYJKoZIhvcNAQEL
    BQAwZjELMAkGA1UEBhMCQVUxDDAKBgNVBAgMA1ZJQzESMBAGA1UEBwwJTWVsYm91
    cm5lMQ0wCwYDVQQKDAREZW1vMQswCQYDVQQLDAJJVDEZMBcGA1UEAwwQZGVtby5l
    eGFtcGxlLmNvbTAeFw0yNTA4MjYwOTA1MjhaFw0yNjA4MjYwOTA1MjhaMGYxCzAJ
    BgNVBAYTAkFVMQwwCgYDVQQIDANWSUMxEjAQBgNVBAcMCU1lbGJvdXJuZTENMAsG
    A1UECgwERGVtbzELMAkGA1UECwwCSVQxGTAXBgNVBAMMEGRlbW8uZXhhbXBsZS5j
    b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrBZ5/h+Z3S0rOKu3e
    QeYJ3PBUemolKlnGjGJzhUPJ9tDOYznyrqLF69QTYghFZO0T3PpSxzjgpvAf9mw8
    TymRUujyHd+H3PgIJYISzia6eJAFD5lJZATNGPoIU/31iT/6wt42L3tXM8NvRsR7
    9gssxydkABbgsX+Aipo1ooJF10G+E1d4SAQ0TtXZFmDwA0qpwbLwc5JYiMPcUnyG
    zTbtGII66ECE/ZiE47kFt6tzjwsOzSlKXd7NV+C4a7P6F9EVmTxD+SBM9WCC0wWj
    lfXyZKur32JqvrlLJkXBiXuuaqhxWjTkDy2OALQjj1Gir/yKWxiQiRiYlTa9I+kZ
    OCrpAgMBAAGjUzBRMB0GA1UdDgQWBBQZiliWDrRDgX6mJAqMbV2Ml6/BfTAfBgNV
    HSMEGDAWgBQZiliWDrRDgX6mJAqMbV2Ml6/BfTAPBgNVHRMBAf8EBTADAQH/MA0G
    CSqGSIb3DQEBCwUAA4IBAQBZTDjcqSBUzn0GL06NEAuj1h0fUaQqsqRChZ8vmnmO
    NuBNNLz7SK0++nEWj65Yc+oyu+5c8bkXoRYmhxaWFmwELFM29ms7Yl9hr35IEINc
    UaU5diQbjHWPgcNIzFM+PQEkw/ZJo9RnhaG42oqiUDEGK4fOPYsTOFM0GbI/syA1
    jNfZNnX85wRfRySXy7tyYc7TyDINkW8xpKy/VRq3+asMM06jF6kK2Ai+Xn+n9Qth
    qi9iXEl3rvcysO7Uh8JnhnsGWWIt6XI3CiwLx65dXtIUi/UvBcgA5N4weNZViVSL
    ncBeaumJUMhcuDmpdKS9/bN75hFR4KuHzSk41t+my8UN
    -----END CERTIFICATE-----
---
apiVersion: compositions.azuread.inuit.io/v1alpha1
kind: FederatedIdentity
metadata:
  name: helloupbound
spec:
  audiences:
    - api://AzureADTokenExchange
  description: Deployments for my-repo
  displayName: my-git-repo-deploy
  issuer: https://token.actions.githubusercontent.com
  subject: repo:my-organization/my-repo:environment:prod

---
apiVersion: compositions.azuread.inuit.io/v1alpha1
kind: FederatedIdentity
metadata:
  name: spiffe-workload-credential
spec:
  audiences:
    - api://AzureADTokenExchange
  description: Federated credential for SPIFFE workload identity
  displayName: spiffe-workload-credential
  issuer: https://spire-server.example.com
  subject: spiffe://example.com/workload/my-service

---
apiVersion: compositions.azuread.inuit.io/v1alpha1
kind: FederatedIdentity
metadata:
  name: terraform-cloud-credential
spec:
  audiences:
    - api://AzureADTokenExchange
  description: Federated credential for Terraform Cloud runs
  displayName: terraform-cloud-credential
  issuer: https://app.terraform.io
  subject: "organization:{org-name}:project:{project-name}:workspace:{workspace-name}:run_phase:plan"

---
apiVersion: compositions.azuread.inuit.io/v1alpha1
kind: FederatedIdentity
metadata:
  name: custom-oidc-provider
spec:
  audiences:
    - api://AzureADTokenExchange
  description: "Federated credential for custom OIDC provider"
  displayName: custom-oidc-provider
  issuer: "https://my-custom-oidc-provider.com"
  subject: "service:my-application:environment:production"