diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml index 9b3c344b2..bb10f9f60 100644 --- a/deploy/concierge/deployment.yaml +++ b/deploy/concierge/deployment.yaml @@ -347,7 +347,12 @@ spec: #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip: loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip #@ end + #@ if data.values.impersonation_proxy_spec.service.annotations == None: + annotations: + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000" + #@ else: annotations: #@ data.values.impersonation_proxy_spec.service.annotations + #@ end --- apiVersion: v1 kind: Secret diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml index 88027f59e..d41f14b0b 100644 --- a/deploy/concierge/values.yaml +++ b/deploy/concierge/values.yaml @@ -1,6 +1,16 @@ #! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 +#@ def validate_strings_map(obj): +#@ # Returns True if obj is an associative data structure string→string, and False otherwise. +#@ for key in obj: +#@ if type(key) != "string" or type(obj[key]) != "string": +#@ return False +#@ end +#@ end +#@ return True +#@ end + #@data/values-schema --- #@schema/title "App name" @@ -31,21 +41,9 @@ into_namespace: "" #@ not assume that there was a static install-time yaml namespace." #@schema/desc custom_labels_desc #@schema/examples ("Example set of labels", {"myCustomLabelName": "myCustomLabelValue", "otherCustomLabelName": "otherCustomLabelValue"}) -#@ def validate_labels(labels): -#@ """ -#@ Returns True if labels is an associative data structure string→string, -#@ and False otherwise. -#@ """ -#@ for label in labels: -#@ if type(label) != "string" or type(labels[label]) != "string": -#@ return False -#@ end -#@ end -#@ return True -#@ end #@schema/type any=True -#@schema/validation ("a map of keys and values", validate_labels) -custom_labels: {} +#@schema/validation ("a map of string keys and string values", validate_strings_map) +custom_labels: { } #@schema/title "Replicas" #@schema/desc "Specify how many replicas of the Pinniped server to run." @@ -58,14 +56,14 @@ image_repo: projects.registry.vmware.com/pinniped/pinniped-server #@schema/title "Image digest" #@schema/desc "The image digest for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used." -#@schema/examples ("Digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8") +#@schema/examples ("Providing a digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8") #@schema/nullable #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None image_digest: "" #@schema/title "Image tag" #@schema/desc "The image tag for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used." -#@schema/examples ("Tag", "v0.25.0") +#@schema/examples ("Providing a tag", "v0.25.0") #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None image_tag: latest @@ -88,6 +86,7 @@ kube_cert_agent_image: "" #@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==" #@schema/examples (example_desc, example_value) #@schema/nullable +#@schema/validation min_len=1 image_pull_dockerconfigjson: "" #@schema/title "Discovery URL" @@ -103,7 +102,7 @@ discovery_url: "" #@ Specify this as an integer or as a string which contains an integer value." #@schema/desc api_serving_certificate_duration_seconds_desc #@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) +#@schema/validation ("an int or string which contains an integer value", lambda v: type(v) in ["int", "string"]) api_serving_certificate_duration_seconds: 2592000 #@schema/title "API serving certificate renew before seconds" @@ -112,7 +111,7 @@ api_serving_certificate_duration_seconds: 2592000 #@ Specify this as an integer or as a string which contains an integer value." #@schema/desc api_serving_certificate_renew_before_seconds_desc #@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) +#@schema/validation ("an int or string which contains an integer value", lambda v: type(v) in ["int", "string"]) api_serving_certificate_renew_before_seconds: 2160000 #@schema/title "Log level" @@ -138,15 +137,11 @@ deprecated_log_format: "" #@schema/title "Run as user" #@schema/desc "The user ID that will own the process." -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) #! See the Dockerfile for the reasoning behind this default value. run_as_user: 65532 #@schema/title "Run as group" #@schema/desc "The group ID that will own the process." -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) #! See the Dockerfile for the reasoning behind this default value. run_as_group: 65532 @@ -164,19 +159,21 @@ api_group_suffix: pinniped.dev impersonation_proxy_spec: #@schema/title "Mode" - #@ impersonation_mode_desc = "If enabled, the impersonation proxy will always run regardless of other strategies available. \ - #@ Options are 'auto', 'disabled' or 'enabled'. If auto, the impersonation proxy will run only if the cluster signing key is \ - #@ not available and the other strategy does not work. If disabled, the impersonation proxy will never run, which could mean \ + #@ impersonation_mode_desc = "Enables or disables the impersonation proxy. Options are 'auto', 'disabled' or 'enabled'. \ + #@ If auto, the impersonation proxy will run only if the cluster signing key is \ + #@ not available and the other strategy does not work. \ + #@ If enabled, the impersonation proxy will always run regardless of other strategies available. \ + #@ If disabled, the impersonation proxy will never run, which could mean \ #@ that the concierge doesn't work at all." #@schema/desc impersonation_mode_desc - #@schema/examples ("Always run, regardless of available strategies", "enabled"),("Detect if cluster signing key is available for use","auto") + #@schema/validation one_of=["auto", "disabled", "enabled"] mode: auto #@schema/title "External endpoint" #@ external_endpoint_desc = "The endpoint which the client should use to connect to the impersonation proxy. \ #@ If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint." #@schema/desc external_endpoint_desc - #@schema/examples ("Specified impersonation proxy endpoint", "1.2.3.4:5678") + #@schema/examples ("Specified impersonation proxy endpoint", "https://1.2.3.4:5678") #@schema/nullable #@schema/validation min_len=1 external_endpoint: "" @@ -192,33 +189,39 @@ impersonation_proxy_spec: #@ automatically provisions a Service of type ClusterIP pointing at the impersonation proxy. None does not provision \ #@ either and assumes that you have set the external_endpoint and set up your own ingress to connect to the impersonation proxy." #@schema/desc impersonation_service_type_desc - #@schema/examples ("Fall back to ClusterIP", "ClusterIP") #@schema/validation one_of=["LoadBalancer", "ClusterIP", "None"] type: LoadBalancer #@schema/title "Annotations" - #@schema/desc "The annotations that should be set on the ClusterIP or LoadBalancer Service." + #@ annotations_desc = "The annotations that should be set on the ClusterIP or LoadBalancer Service. The default includes \ + #@ a value for the AWS-specific service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout annotation, which will \ + #@ be ignored except when using AWS to provide load balancer Services." + #@schema/desc annotations_desc + #@schema/nullable + #@schema/type any=True + #@schema/validation ("a map of string keys and string values", validate_strings_map) annotations: - {service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"} #@schema/title "Load balancer IP" - #@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP." - #@schema/examples ("Specified IP with port", "1.2.3.4:5678") + #@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's spec.loadBalancerIP." + #@schema/examples ("Specifying an IP", "1.2.3.4") #@schema/nullable #@schema/validation min_len=1 load_balancer_ip: "" #@schema/title "HTTPS proxy" -#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \ -#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \ -#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \ -#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \ -#@ Optional." +#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers. \ +#@ These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS, \ +#@ e.g. when the Concierge fetches discovery documents and JWKS keys for JWTAuthenticators and POSTs to webhooks for WebhookAuthenticators. \ +#@ The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY." #@schema/desc https_proxy_desc -#@schema/examples ("Provide a proxy endpoint","http://proxy.example.com") +#@schema/examples ("Providing a proxy endpoint","http://proxy.example.com") #@schema/nullable +#@schema/validation min_len=1 https_proxy: "" #@schema/title "No proxy" -#@schema/desc "Endpoints that should not be proxied. Defaults to some sensible known values on public cloud providers." -no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints +#@ no_proxy_desc = "Endpoints that should not be proxied. Defaults to not proxying internal Kubernetes endpoints, \ +#@ localhost endpoints, and the known instance metadata IP address for public cloud providers." +#@schema/desc no_proxy_desc +no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" diff --git a/deploy/local-user-authenticator/values.yaml b/deploy/local-user-authenticator/values.yaml index 7341cd889..45021a698 100644 --- a/deploy/local-user-authenticator/values.yaml +++ b/deploy/local-user-authenticator/values.yaml @@ -10,14 +10,14 @@ image_repo: projects.registry.vmware.com/pinniped/pinniped-server #@schema/title "Image digest" #@schema/desc "The image digest for the local-user-authenticator container image. If both image_digest or an image_tag are given, only image_digest will be used." -#@schema/examples ("Digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8") +#@schema/examples ("Providing a digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8") #@schema/nullable #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None image_digest: "" #@schema/title "Image tag" #@schema/desc "The image tag for the local-user-authenticator container image. If both image_digest or an image_tag are given, only image_digest will be used." -#@schema/examples ("Tag", "v0.25.0") +#@schema/examples ("Providing a tag", "v0.25.0") #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None image_tag: latest @@ -30,6 +30,7 @@ image_tag: latest #@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==" #@schema/examples (example_desc, example_value) #@schema/nullable +#@schema/validation min_len=1 image_pull_dockerconfigjson: "" #@schema/title "Run as user" diff --git a/deploy/supervisor/values.yaml b/deploy/supervisor/values.yaml index 95090a17a..f35c22036 100644 --- a/deploy/supervisor/values.yaml +++ b/deploy/supervisor/values.yaml @@ -1,6 +1,16 @@ #! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 +#@ def validate_strings_map(obj): +#@ # Returns True if obj is an associative data structure string→string, and False otherwise. +#@ for key in obj: +#@ if type(key) != "string" or type(obj[key]) != "string": +#@ return False +#@ end +#@ end +#@ return True +#@ end + #@data/values-schema --- #@schema/title "App name" @@ -31,40 +41,28 @@ into_namespace: "" #@ not assume that there was a static install-time yaml namespace." #@schema/desc custom_labels_desc #@schema/examples ("Example set of labels", {"myCustomLabelName": "myCustomLabelValue", "otherCustomLabelName": "otherCustomLabelValue"}) -#@ def validate_labels(labels): -#@ """ -#@ Returns True if labels is an associative data structure string→string, -#@ and False otherwise. -#@ """ -#@ for label in labels: -#@ if type(label) != "string" or type(labels[label]) != "string": -#@ return False -#@ end -#@ end -#@ return True -#@ end #@schema/type any=True -#@schema/validation ("a map of keys and values", validate_labels) -custom_labels: {} +#@schema/validation ("a map of keys and values", validate_strings_map) +custom_labels: { } #@schema/title "Replicas" #@schema/desc "Specify how many replicas of the Pinniped server to run." replicas: 2 #@schema/title "Image repo" -#@schema/desc "The repository for the Concierge container image." +#@schema/desc "The repository for the Supervisor container image." #@schema/validation min_len=1 image_repo: projects.registry.vmware.com/pinniped/pinniped-server #@schema/title "Image digest" -#@schema/desc "The image digest for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used." +#@schema/desc "The image digest for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used." #@schema/examples ("Digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8") #@schema/nullable #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None image_digest: "" #@schema/title "Image tag" -#@schema/desc "The image tag for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used." +#@schema/desc "The image tag for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used." #@schema/examples ("Tag", "v0.25.0") #@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None image_tag: latest @@ -78,75 +76,60 @@ image_tag: latest #@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ==" #@schema/examples (example_desc, example_value) #@schema/nullable +#@schema/validation min_len=1 image_pull_dockerconfigjson: "" #@schema/title "Deprecated service HTTP nodeport port" #@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`" -#@schema/examples ("Specify port","31234") +#@schema/examples ("Specify port",31234) #@schema/nullable -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) #@schema/deprecated "This data value will be removed in a future release" -deprecated_service_http_nodeport_port: "" +deprecated_service_http_nodeport_port: 0 #@schema/title "Deprecated service http nodeport nodeport" #@schema/desc "The `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified" -#@schema/examples ("Specify port","31234") +#@schema/examples ("Specify port",31234) #@schema/nullable -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) #@schema/deprecated "This data value will be removed in a future release" -deprecated_service_http_nodeport_nodeport: "" +deprecated_service_http_nodeport_nodeport: 0 #@schema/title "Deprecated service http loadbalancer port" #@schema/desc "When specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`" -#@schema/examples ("Specify port","8443") +#@schema/examples ("Specify port",8443) #@schema/nullable -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) #@schema/deprecated "This data value will be removed in a future release" -deprecated_service_http_loadbalancer_port: "" +deprecated_service_http_loadbalancer_port: 0 #@schema/title "Deprecated service http clusterip port" #@schema/desc "Creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`" -#@schema/examples ("Specify port","8443") +#@schema/examples ("Specify port",8443) #@schema/nullable -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) #@schema/deprecated "This data value will be removed in a future release" -deprecated_service_http_clusterip_port: "" +deprecated_service_http_clusterip_port: 0 #@schema/title "Service https nodeport port" #@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`" -#@schema/examples ("Specify port","31243") +#@schema/examples ("Specify port",31243) #@schema/nullable -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) -service_https_nodeport_port: "" +service_https_nodeport_port: 0 #@schema/title "Service https nodeport nodeport" #@schema/desc "The `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified" -#@schema/examples ("Specify port","31243") +#@schema/examples ("Specify port",31243) #@schema/nullable -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) -service_https_nodeport_nodeport: "" +service_https_nodeport_nodeport: 0 #@schema/title "Service https loadbalancer port" #@schema/desc "When specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`" -#@schema/examples ("Specify port","8443") +#@schema/examples ("Specify port",8443) #@schema/nullable -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) -service_https_loadbalancer_port: "" +service_https_loadbalancer_port: 0 #@schema/title "Service https clusterip port" #@schema/desc "When specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`" -#@schema/examples ("Specify port","8443") +#@schema/examples ("Specify port",8443) #@schema/nullable -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) -service_https_clusterip_port: "" +service_https_clusterip_port: 0 #@schema/title "Service loadbalancer ip" #@schema/desc "The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided." @@ -177,23 +160,19 @@ deprecated_log_format: "" #@schema/title "Run as user" #@schema/desc "The user ID that will own the process." -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) #! See the Dockerfile for the reasoning behind this default value. run_as_user: 65532 #@schema/title "Run as group" #@schema/desc "The group ID that will own the process." -#@schema/type any=True -#@schema/validation ("an int or string", lambda v: type(v) in ["int", "string"]) #! See the Dockerfile for the reasoning behind this default value. run_as_group: 65532 #@schema/title "API group suffix" #@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \ #@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \ -#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \ -#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc." +#@ config.supervisor.pinniped.dev, etc. As an example, if this is set to tuna.io, then \ +#@ Pinniped API groups will look like foo.tuna.io. config.supervisor.tuna.io, etc." #@schema/desc api_group_suffix_desc #@schema/validation min_len=1 api_group_suffix: pinniped.dev @@ -202,25 +181,26 @@ api_group_suffix: pinniped.dev #@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \ #@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \ #@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \ -#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY. \ -#@ Optional." +#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY." #@schema/desc https_proxy_desc -#@schema/examples ("Provide a proxy endpoint","http://proxy.example.com") +#@schema/examples ("Providing a proxy endpoint","http://proxy.example.com") #@schema/nullable +#@schema/validation min_len=1 https_proxy: "" #@schema/title "No proxy" -#@schema/desc "Endpoints that should not be proxied. Defaults to some sensible known values on public cloud providers." -no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints - +#@ no_proxy_desc = "Endpoints that should not be proxied. Defaults to not proxying internal Kubernetes endpoints, \ +#@ localhost endpoints, and the known instance metadata IP address for public cloud providers." +#@schema/desc no_proxy_desc +no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #@schema/title "Endpoints" #@ endpoints_desc = "Control the HTTP and HTTPS listeners of the Supervisor. The current defaults are: \ #@ {\"https\":{\"network\":\"tcp\",\"address\":\":8443\"},\"http\":\"disabled\"}. \ -#@ These defaults mean: 1.) For HTTPS listening, bind to all interfaces using TCP on port 8443 and \ -#@ 2.) Disable HTTP listening by default. \ +#@ These defaults mean: 1.) for HTTPS listening, bind to all interfaces using TCP on port 8443 and \ +#@ 2.) disable HTTP listening by default. \ #@ The schema of this config is as follows: \ -#@ {'https':{'network':'tcp | unix | disabled','address':'host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix'},'http':{'network':'tcp | unix | disabled','address':'same as https, except that when network=tcp then the address is only allowed to bind to loopback interfaces'}} \ +#@ {\"https\":{\"network\":\"tcp | unix | disabled\",\"address\":\"host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix\"},\"http\":{\"network\":\"tcp | unix | disabled\",\"address\":\"same as https, except that when network=tcp then the address is only allowed to bind to loopback interfaces\"}} \ #@ The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept \ #@ traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be \ #@ used to accept traffic from outside the pod, since that would mean that the network traffic could be \ @@ -241,6 +221,14 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,. #@ return False #@ end #@ end +#@ if(type(endpoint) in ["yamlfragment"]): +#@ if (endpoint["network"] not in ["tcp", "unix", "disabled"]): +#@ return False +#@ end +#@ if (type(endpoint["address"]) not in ["string"]): +#@ return False +#@ end +#@ end #@ return True #@ end #@ def validate_endpoints(endpoints): @@ -251,9 +239,9 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,. #@ https_val = endpoints["https"] #@ return validate_endpoint(http_val) and validate_endpoint(https_val) #@ end -#@schema/validation ("a map with keys 'http' and 'https', both having keys 'network' and 'address' or set to 'disabled'", validate_endpoints) #@schema/nullable -endpoints: {} +#@schema/validation ("a map with keys 'http' and 'https', whose values are either the string 'disabled' or a map having keys 'network' and 'address', and the value of 'network' must be one of the allowed values", validate_endpoints) +endpoints: { } #@ deprecated_insecure_accept_external_unencrypted_http_requests_desc = "Optionally override the validation on the endpoints.http \ #@ value which checks that only loopback interfaces are used. \ diff --git a/hack/prepare-impersonator-on-kind.sh b/hack/prepare-impersonator-on-kind.sh index 0a17cfecc..df0355747 100755 --- a/hack/prepare-impersonator-on-kind.sh +++ b/hack/prepare-impersonator-on-kind.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright 2021 the Pinniped contributors. All Rights Reserved. +# Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # @@ -106,7 +106,7 @@ function cleanup() { kubectl delete webhookauthenticator local-user-authenticator log_note "Stopping kubectl port-forward and exiting..." # It may have already shut down, so ignore errors. - kill -9 $port_forward_pid &> /dev/null || true + kill -9 $port_forward_pid &>/dev/null || true } trap cleanup EXIT diff --git a/hack/prepare-supervisor-on-kind.sh b/hack/prepare-supervisor-on-kind.sh index 5a0cb7202..147a1869d 100755 --- a/hack/prepare-supervisor-on-kind.sh +++ b/hack/prepare-supervisor-on-kind.sh @@ -39,7 +39,6 @@ cd "$ROOT" source hack/lib/helpers.sh - use_oidc_upstream=no use_ldap_upstream=no use_ad_upstream=no @@ -115,8 +114,8 @@ if [[ "${PINNIPED_USE_CONTOUR:-}" != "" ]]; then # Wait for its pods to be ready. echo "Waiting for Contour to be ready..." - kubectl wait --for 'jsonpath={.status.phase}=Succeeded' pods -l 'app=contour-certgen' -n projectcontour --timeout 60s - kubectl wait --for 'jsonpath={.status.phase}=Running' pods -l 'app!=contour-certgen' -n projectcontour --timeout 60s + kubectl wait --for 'jsonpath={.status.phase}=Succeeded' pods -l 'app=contour-certgen' -n projectcontour --timeout 60s + kubectl wait --for 'jsonpath={.status.phase}=Running' pods -l 'app!=contour-certgen' -n projectcontour --timeout 60s # Create an ingress for the Supervisor which uses TLS passthrough to allow the Supervisor to terminate TLS. cat < $fd_file +cat <$fd_file apiVersion: config.supervisor.pinniped.dev/v1alpha1 kind: FederationDomain metadata: @@ -327,7 +326,7 @@ EOF if [[ "$use_oidc_upstream" == "yes" ]]; then # Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below. - cat << EOF >> $fd_file + cat <>$fd_file - displayName: "My OIDC IDP 🚀" objectRef: @@ -351,7 +350,7 @@ fi if [[ "$use_ldap_upstream" == "yes" ]]; then # Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below. - cat << EOF >> $fd_file + cat <>$fd_file - displayName: "My LDAP IDP 🚀" objectRef: @@ -405,7 +404,7 @@ fi if [[ "$use_ad_upstream" == "yes" ]]; then # Indenting the heredoc by 4 spaces to make it indented the correct amount in the FederationDomain below. - cat << EOF >> $fd_file + cat <>$fd_file - displayName: "My AD IDP" objectRef: