github/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-02-19 20:40:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:v0.32.0
Branches Tags
github:main github:ci github:jtc/freeze-k8s-utils github:jtc/add-a-bunch-of-groups github:poc/AuditEventFrom_replacement github:jtc/bump-to-k8s-0-34-0 github:move_ci github:upgrade_linter_may_2025 github:jtc/bump-to-k8s-1-32-libs github:jtc/backfill-test github:jtc/warn-when-tokens-are-large github:jtc/externally-configured-serving-certs github:jtc/use-soft-memory-limit-1103 github:poc/session_length github:jtc/propose-opt-out-of-self-signed-cas github:poc/kube_csr_api github:release-0.12 github:poc/client-side-logout github:release-0.4
github:v0.44.0 github:v0.43.0 github:v0.42.0 github:v0.41.0 github:v0.40.0 github:v0.39.0 github:v0.38.0 github:v0.37.0 github:v0.36.0 github:v0.35.0 github:v0.34.0 github:v0.33.0 github:v0.32.0 github:v0.31.0 github:v0.30.0 github:v0.29.0 github:v0.28.0 github:v0.27.0 github:v0.26.0 github:v0.25.0 github:v0.24.0 github:v0.23.0 github:v0.22.0 github:v0.21.0 github:v0.20.0 github:v0.19.0 github:v0.18.0 github:v0.17.0 github:v0.16.0 github:v0.15.0 github:v0.12.1 github:v0.14.0 github:v0.13.0 github:v0.12.0 github:v0.11.0 github:v0.10.0 github:v0.4.4 github:v0.9.2 github:v0.9.1 github:v0.9.0 github:v0.4.3 github:v0.8.0 github:v0.4.2 github:v0.7.0 github:v0.6.0 github:v0.5.0 github:v0.4.1 github:v0.4.0 github:v0.3.0 github:v0.2.0 github:v0.1.0
...
compare: github:v0.33.0
Branches Tags
github:ci github:main github:jtc/freeze-k8s-utils github:jtc/add-a-bunch-of-groups github:poc/AuditEventFrom_replacement github:jtc/bump-to-k8s-0-34-0 github:move_ci github:upgrade_linter_may_2025 github:jtc/bump-to-k8s-1-32-libs github:jtc/backfill-test github:jtc/warn-when-tokens-are-large github:jtc/externally-configured-serving-certs github:jtc/use-soft-memory-limit-1103 github:poc/session_length github:jtc/propose-opt-out-of-self-signed-cas github:poc/kube_csr_api github:release-0.12 github:poc/client-side-logout github:release-0.4
github:v0.44.0 github:v0.43.0 github:v0.42.0 github:v0.41.0 github:v0.40.0 github:v0.39.0 github:v0.38.0 github:v0.37.0 github:v0.36.0 github:v0.35.0 github:v0.34.0 github:v0.33.0 github:v0.32.0 github:v0.31.0 github:v0.30.0 github:v0.29.0 github:v0.28.0 github:v0.27.0 github:v0.26.0 github:v0.25.0 github:v0.24.0 github:v0.23.0 github:v0.22.0 github:v0.21.0 github:v0.20.0 github:v0.19.0 github:v0.18.0 github:v0.17.0 github:v0.16.0 github:v0.15.0 github:v0.12.1 github:v0.14.0 github:v0.13.0 github:v0.12.0 github:v0.11.0 github:v0.10.0 github:v0.4.4 github:v0.9.2 github:v0.9.1 github:v0.9.0 github:v0.4.3 github:v0.8.0 github:v0.4.2 github:v0.7.0 github:v0.6.0 github:v0.5.0 github:v0.4.1 github:v0.4.0 github:v0.3.0 github:v0.2.0 github:v0.1.0

183 Commits
v0.32.0 ... v0.33.0

Author SHA1 Message Date
Ryan Richard
b377040144 Merge pull request #2034 from vmware-tanzu/jtc/older-idps-should-use-unknown-condition-status 
OIDC/LDAP/AD IDPs should use unknown condition status
 2024-08-06 20:13:02 -07:00
Ryan Richard
c1328d9619 update expectation in supervisor_ldap_idp_test.go 2024-08-06 16:08:25 -07:00
Joshua Casey
f918edd846 Add integration tests to ensure that LDAP/AD conditions with status Unknown if they cannot be validated 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-06 16:08:25 -07:00
Ryan Richard
6b49cd7d28 add Unknown SearchBaseFound status condition for AD only 2024-08-06 16:08:25 -07:00
Joshua Casey
afa3aa2232 LDAP and AD IDPs now always report condition with type LDAPConnectionValid, even if the status is unknown 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-06 16:08:25 -07:00
Joshua Casey
1c59a41cc5 Remove some dead code from LDAP/AD controllers 2024-08-06 16:08:25 -07:00
Joshua Casey
0626b22c70 OIDC Upstream Watcher now reports condition OIDCDiscoverySucceeded with status Unknown if TLS validation fails 2024-08-06 16:08:25 -07:00
Ryan Richard
fbbec507d1 Merge pull request #2036 from vmware-tanzu/bump_codegen 
Bump codegen
 2024-08-06 15:08:32 -07:00
Ryan Richard
a4b0416174 Merge pull request #2035 from vmware-tanzu/go-github-v62 
upgrade github.com/google/go-github from v62 to v63
 2024-08-06 15:08:10 -07:00
Ryan Richard
659f33dc55 run codegen for updated kube-versions.txt 2024-08-06 13:53:44 -07:00
Ryan Richard
20ddf553ce update kube-versions.txt 2024-08-06 13:50:25 -07:00
Ryan Richard
7483de5e90 upgrade github.com/google/go-github from v62 to v63 2024-08-06 13:45:38 -07:00
Joshua Casey
9f1d6258a2 Merge pull request #2032 from vmware-tanzu/github_api_host 
When testing connection for GitHubIdentityProvider host `github.com`, actually dial `api.github.com`
 2024-08-06 12:53:08 -05:00
Ryan Richard
99b59a90b6 run codegen for gihub doc change from previous commit 2024-08-06 08:58:30 -07:00
Ryan Richard
56bf9bad25 GitHubIdentityProvider: document github.com vs. api.github.com 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-06 08:58:30 -07:00
Ryan Richard
229b6a262e when dialing github to test connection, dial api.github.com 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-06 08:58:30 -07:00
Ryan Richard
74d9fb863f Merge pull request #2028 from vmware-tanzu/doc_typo 
fix WS1 doc typo
 2024-08-06 08:58:00 -07:00
Joshua Casey
e332fb505c Merge branch 'main' into doc_typo 2024-08-06 09:10:21 -05:00
Ashish Amarnath
dafde586ec Merge pull request #2033 from vmware-tanzu/update-comments 
fix typo in integration test function comments
 2024-08-06 06:50:44 -07:00
Joshua Casey
cb101e4dbe Merge branch 'main' into doc_typo 2024-08-06 08:28:22 -05:00
Ashish Amarnath
6fdfee36fe fix typo in integration test function comments 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 23:33:31 -07:00
Ryan Richard
0787301ddb Merge pull request #1996 from ashish-amarnath/ca-bundles-ref 
Implement proposal to allow Pinniped custom resources to ref configmaps or secrets for CA bundles
 2024-08-05 14:28:39 -07:00
Ryan Richard
2af510a3ee Revert "add integration test for TLS config validation in GitHubIdentityProvider" 
This reverts commit 23129da3e2.
 2024-08-05 12:52:41 -07:00
Ryan Richard
fdeca2c026 Revert "add integration test for TLS config validation in OIDCIdentityProvider" 
This reverts commit 59402bca7b.
 2024-08-05 12:52:29 -07:00
Ryan Richard
23fd15f840 Revert "Add integration tests for tls spec validation in JWTAuthenticator and WebhookAuthenticator" 
This reverts commit c3405095b2.
 2024-08-05 12:52:21 -07:00
Ryan Richard
06b7d302a2 fix typo in tmpl and run codegen 2024-08-05 11:32:21 -07:00
Ashish Amarnath
b70db9dc03 refactor to use new certificateAuthorityDataSourceKind enum 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ryan Richard
d4ac69d88e run codegen for changes in previous commit 2024-08-05 11:32:21 -07:00
Ryan Richard
59c2295dfd improve api docs for TLSSpec in authenticator and IDP specs 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ryan Richard
4eb9a09385 test more condition message cases in concierge_tls_spec_test.go and supervisor_tls_spec_test.go 2024-08-05 11:32:21 -07:00
Ryan Richard
db2d7c8c50 assert on condition message in concierge_tls_spec_test.go and supervisor_tls_spec_test.go 2024-08-05 11:32:21 -07:00
Ryan Richard
2ebf9d3d00 minor test refactor 2024-08-05 11:32:21 -07:00
Ryan Richard
67de14a3b8 ran codegen on previous commit's changes 2024-08-05 11:32:21 -07:00
Ryan Richard
a40c88ebf3 document allowed enum values and default values in all CR spec fields 2024-08-05 11:32:21 -07:00
Ashish Amarnath
23129da3e2 add integration test for TLS config validation in GitHubIdentityProvider 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ashish Amarnath
59402bca7b add integration test for TLS config validation in OIDCIdentityProvider 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ashish Amarnath
c3405095b2 Add integration tests for tls spec validation in JWTAuthenticator and WebhookAuthenticator 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ryan Richard
2181418cc5 refactor test helpers in supervisor_login_test.go 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ryan Richard
e0235ed190 update docs and change struct name in types_tls.go.tmpl files 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:21 -07:00
Ryan Richard
02e41baa47 small refactors 2024-08-05 11:32:21 -07:00
Ryan Richard
91ef68992c document new CA bundle source option in howto docs 2024-08-05 11:32:20 -07:00
Ashish Amarnath
43964ff7a2 update generated api docs 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
19c4acf391 secret/configmap with CA bundle to be created in namespace where pinniped is installed 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
ed502949dd webhookcachefiller and jwtcachefiller always update status when needed 
Even when the authenticator is found in the cache, try to update its
status. Failing to do so would mean that the actual status will not
be overwritten by the controller's newly computed desired status.

Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
a0c259ffbc update expectation conditions message when CA bundle is not configured 
fix a typo where we intended to use a configmap instead of a secret

Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>

Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
d6d66faae3 jwtcachefiller now tests for exact log lines and prints when it chooses to not update the status 2024-08-05 11:32:20 -07:00
Ryan Richard
15c84fcc94 extract helper func in jwtcachefiller and webhookcachefiller 2024-08-05 11:32:20 -07:00
Joshua Casey
1438f06c12 webhookcachefiller adds more detail when it chooses to update or not update status conditions 2024-08-05 11:32:20 -07:00
Joshua Casey
ca5bb2170c webhookcontroller should use a logger that is built for each webhook authenticator 2024-08-05 11:32:20 -07:00
Joshua Casey
05a2fd97f8 webhookcontroller now only logs the webhook authenticator name instead of an object 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
dedd51df91 Test Refactor: webhookauthenticator_test checks exact log line equality 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
290676e4d1 improve info/debug log messages for jwtcachefiller & webhookcachefiller 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
8725ab4caa do not make any assumption about OIDC issuer 404 page body in test 
Instead of using Dex or Okta, use a fake localhost issuer which
does not exist. This will give a consistent connection error
message. Needed because Dex and Okta return different 404 error
pages, so we can't easily make a test assertion that works for both.

Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
3891f90f43 skip external CA bundle tests when CA bundle is empty 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
9f17ba5ae4 change wording of TLS config loaded success messages 2024-08-05 11:32:20 -07:00
Ashish Amarnath
81d42cb3b9 add unit tests for validatedsettings cache storing ca bundle hash 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>

Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
dfef9f470f fix bug in webhookcachefiller caused when status update returns error 
Also refactor test assertions regarding log statements in
jwtcachefiller_test.go and webhookcachefiller_test.go

Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
f5da417450 fix bug in jwtcachefiller caused when status update returns error 
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
a888083c50 Introduce type alias CABundleHash for the hash of a CA bundle ([32]byte) 
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
99cfc4fbce Remove tlsconfigutil.CABundle.IsEqual and ensure that tlsconfigutil.NewCABundle handles nil/empty input 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
fcceeed9fa Refactor tlsconfigutil.CABundle 'getters' to not have 'get' in the name 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
4cf0e46c38 tlsconfigutil.CABundle should generate its own certPool 2024-08-05 11:32:20 -07:00
Joshua Casey
34eff2a2f9 Refactor tlsconfigutil.buildCABundle to make it more clear where the bundle is coming from 2024-08-05 11:32:20 -07:00
Joshua Casey
e82cb2c7ba Refactor tlsconfigutil.getCertPool to return a CABundle and change its name to buildCABundle 2024-08-05 11:32:20 -07:00
Joshua Casey
0711093ccd Add tests for tlsconfigutil.CABundle and all callers should use the constructor 2024-08-05 11:32:20 -07:00
Joshua Casey
15d0006841 Pull tlsconfigutil.CABundle into a separate file 2024-08-05 11:32:20 -07:00
Ashish Amarnath
282b949c24 update jwtcachefiller to use new tlsconfigutil.CABundle type 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
005dbf3aa8 refactor tlsconfigutil to return a caBundle type 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
a1dcba4731 add unit tests for validatedsettings cache storing ca bundle hash 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Ashish Amarnath
2a62beeb5f store ca bundle hash in validated settings cache 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
242fa8afb2 When reading CA bundle from a secret/configmap, return more specific err 
When the bundle does not contain any certs, make the error more
specific.

Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
e3ed722252 Minor refactor 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
9a16dc28b7 Fix another integration test 2024-08-05 11:32:20 -07:00
Joshua Casey
de86809b69 Fix some integration tests 2024-08-05 11:32:20 -07:00
Joshua Casey
9420bfde5b webhookcachefiller controller loops over all webhookauthenticators 2024-08-05 11:32:20 -07:00
Ryan Richard
adb460b644 refactor integration test to use proper test table 2024-08-05 11:32:20 -07:00
Ryan Richard
06b47a5792 jwtcachefiller controller loops over all jwtauthenticators 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
ca2dd2d476 refactor InferSupervisorIssuerURL() func; remove a TODO 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
60f82d2a55 Fix integration test typo 2024-08-05 11:32:20 -07:00
Ryan Richard
414ff503ef extract some common condition reason string constants 2024-08-05 11:32:20 -07:00
Joshua Casey
4ec5766ea9 Modify Concierge/Superivsor TLS spec integration tests to allow for older K8s versions 2024-08-05 11:32:20 -07:00
Joshua Casey
b7c26c43ca Add LDAPIdentityProvider and ActiveDirectoryIdentityProvider to the Supervisor TLS config static validation integration tests 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
4b2ed52f44 Add GitHubIdentityProvider to the Supervisor TLS config static validation integration tests 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:20 -07:00
Ryan Richard
f381c92f0b Use templates to reduce duplication in concierge_tls_spec_test.go 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-05 11:32:20 -07:00
Joshua Casey
3a303cc8fb Supervisor TLS Spec validation integration tests should use helper method 2024-08-05 11:32:20 -07:00
Ryan Richard
09724cfa71 Add unit test: when discovery is already cached for OIDCIdentityProvider 2024-08-05 11:32:20 -07:00
Joshua Casey
d74c2a6e3f Supervisor TLS spec integration tests should use an OIDC issuer url from the test environment 2024-08-05 11:32:19 -07:00
Joshua Casey
0f9352db3b Integration tests should use a helper func to infer Supervisor's downstream issuer URL 2024-08-05 11:32:19 -07:00
Joshua Casey
afec420ce6 Add JWTAuthenticators to the static validation checks for concierge TLS spec 2024-08-05 11:32:19 -07:00
Joshua Casey
d5e3ad9da0 Concierge external TLS static integration tests use the real URL of the deployed local-user-authenticator 2024-08-05 11:32:19 -07:00
Ryan Richard
0f103ed2a4 Add unit tests for external CA bundle in oidc_upstream_watcher_test.go 2024-08-05 11:32:19 -07:00
Joshua Casey
d62d6a1f27 Refactor github_controller_watcher to simplify the tls Dial 2024-08-05 11:32:19 -07:00
Ryan Richard
a4ad5d68a9 Fix *_tls_spec_test.go for old versions of Kubernetes 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-05 11:32:19 -07:00
Ryan Richard
30c0fd479e Fix e2e_test.go 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-05 11:32:19 -07:00
Ryan Richard
756966c55b add "Status" printer column to JWTAuthenticator and WebhookAuthenticator 2024-08-05 11:32:19 -07:00
Joshua Casey
288e092d2e GitHub IDP watcher should not dial an address that has already been validated 2024-08-05 11:32:19 -07:00
Ryan Richard
72745cd8fe run codegen to update copyrights 2024-08-05 11:32:19 -07:00
Ryan Richard
8060e82745 include external CA bundles in the cache key in oidc_upstream_watcher.go 2024-08-05 11:32:19 -07:00
Ryan Richard
373713f7e0 webhook controller redoes validations when external CA bundle changes 2024-08-05 11:32:19 -07:00
Joshua Casey
66401b42d8 Add GitHubIDP tests for a CA bundle in a Secret or a ConfigMap 2024-08-05 11:32:19 -07:00
Joshua Casey
2d5943b21a Move conditions reason Success to conditions_util 2024-08-05 11:32:19 -07:00
Ryan Richard
920b519ebf error when CA bundle from Secret or ConfigMap is empty 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
 2024-08-05 11:32:19 -07:00
Joshua Casey
bf1c02d328 jwtauthenticator controller redoes validations when external CA bundle changes 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:19 -07:00
Joshua Casey
6e9023e090 add code review todos and light refactoring 
Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
1b7a26d932 test secret and configmap filtering in concierge authenticator controllers 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
cb4b63f8b3 integration tests for concierge authenticators 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
8eb15a924f integration tests for supervisor oidc, ldap, activedirectory IDP 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
6a610a9d51 add namespace to jwt authenticator controller 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
821a893f70 integration tests for supervisor oidc, ldap, activedirectory IDP 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
afcd80de37 more integration tests pass 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
edc327ba33 update supervisor RBAC to allow get, list, and watch on configmaps 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
90e8cc86c2 integration tests pass 2024-08-05 11:32:19 -07:00
Ashish Amarnath
9ab7c39d56 jwt cache filler 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
207bac9452 webhook cache filler 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
199562fd05 get all supervisor unit tests to pass 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
3a969a83b7 update supervisor controllers 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
aab1ee9edc unify TLS Spec between supervisor and concierge 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
080c75efe6 refactor tls spec validation into its own package 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
7e6dadb508 add CRD validation integration tests 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
19c3f2cb04 run hack/update.sh 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:19 -07:00
Ashish Amarnath
842f14af4c update go templates for TLSSpec for concierge and supervisor 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-08-05 11:32:18 -07:00
Joshua Casey
05c258026a Merge branch 'main' into doc_typo 2024-08-05 13:31:05 -05:00
Joshua Casey
1bb38911dc Merge pull request #2030 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-08-05 13:23:30 -05:00
Joshua Casey
ec943fffdc Bump golang.org/x/mod from 0.19.0 to 0.20.0 in /hack/update-go-mod 2024-08-05 12:08:46 -05:00
Pinny
ae1d182b30 Bump dependencies 2024-08-05 13:01:14 +00:00
Joshua Casey
82c056b955 Merge branch 'main' into doc_typo 2024-08-02 16:05:03 -05:00
Joshua Casey
7acc2aa383 Merge pull request #2026 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-08-02 16:04:46 -05:00
Ryan Richard
4e6a39ed11 fix WS1 doc typo 2024-08-02 09:12:08 -07:00
Pinny
d587c6b10e Bump dependencies 2024-08-02 13:02:39 +00:00
Ryan Richard
51c5a05ea7 Merge pull request #2024 from vmware-tanzu/hack_improvements 
small improvements to some hack scripts
 2024-08-01 12:50:13 -07:00
Ryan Richard
f0cac8c5d3 small improvements to some hack scripts 2024-08-01 10:00:27 -07:00
Joshua Casey
76f3430c68 Merge pull request #2023 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-31 08:57:24 -05:00
Pinny
0e4f7082b0 Bump dependencies 2024-07-31 13:02:19 +00:00
Ashish Amarnath
66f005f275 Merge pull request #2022 from ashish-amarnath/host-name-case-insensitve 
make host name parsing case-insensitive
 2024-07-30 10:31:48 -07:00
Joshua Casey
bc10d500b7 Merge branch 'main' into host-name-case-insensitve 2024-07-30 09:27:45 -05:00
Ashish Amarnath
7c7f0fdae3 make host name parsing case-insensitive 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>

Co-authored-by: Ryan Richard <richardry@vmware.com>
 2024-07-29 14:32:01 -07:00
Joshua Casey
4fa901c017 Merge pull request #2021 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-29 09:52:44 -05:00
Pinny
fd11c37825 Bump dependencies 2024-07-29 13:02:10 +00:00
Joshua Casey
f1b82dbf1f Merge pull request #2020 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-26 15:39:47 -05:00
Pinny
8891455e10 Bump dependencies 2024-07-26 13:03:12 +00:00
Joshua Casey
5540f25932 Merge pull request #2019 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-24 09:45:57 -05:00
Pinny
ee9bbbe50b Bump dependencies 2024-07-24 13:02:40 +00:00
Joshua Casey
e013c90993 Merge pull request #2018 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-22 10:54:22 -05:00
Pinny
fa85be4b94 Bump dependencies 2024-07-22 13:02:35 +00:00
Ryan Richard
276cba08ee Merge pull request #2015 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-19 06:54:49 -07:00
Pinny
0e312c88c1 Bump dependencies 2024-07-19 13:01:19 +00:00
Ryan Richard
00301e3642 Merge pull request #2013 from vmware-tanzu/authenticators_bugfix 
fix authenticators bug: stop allowing usage when validation fails
 2024-07-17 11:35:24 -07:00
Ryan Richard
a2be4b7b5e clarify some comments based on PR feedback 2024-07-17 09:58:26 -07:00
Ryan Richard
b5a509f27f fix authenticators bug: stop allowing usage when validation fails 2024-07-16 09:59:19 -07:00
Ryan Richard
6b722a14c8 Merge pull request #2014 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-16 09:38:58 -07:00
Pinny
dd0c805b09 Bump dependencies 2024-07-16 13:01:44 +00:00
Ryan Richard
6c35490cfb Merge pull request #2012 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-15 09:48:11 -07:00
Pinny
19a04ea804 Bump dependencies 2024-07-15 13:02:37 +00:00
Ryan Richard
a9a63914b2 Merge pull request #2008 from vmware-tanzu/dependabot/go_modules/hack/update-go-mod/golang.org/x/mod-0.19.0 
Bump golang.org/x/mod from 0.18.0 to 0.19.0 in /hack/update-go-mod
 2024-07-12 09:00:02 -07:00
Ryan Richard
b7d1c3f5f6 Merge pull request #2010 from vmware-tanzu/remove_warning 
remove unnecessary warning log message
 2024-07-12 08:59:45 -07:00
Ryan Richard
a8ccdbc833 Merge pull request #2011 from vmware-tanzu/update_toolchain 
update Go toolchain directives to match current version of Go
 2024-07-12 08:59:29 -07:00
Ryan Richard
decf1cf537 update Go toolchain directives to match current version of Go 2024-07-10 10:27:39 -07:00
Ryan Richard
e5cfa521da remove unnecessary warning log message 
This message is not needed because the IDP chooser page will take
care of the case where a browser-based authorization flow did not
request any specific IDP. For browserless flows (only allowed for
the `pinniped-cli` client), the client must request a specific IDP
(except in backwards-compatibility mode) because there is no browser
in which to show the IDP chooser page. Failing to request a specific
IDP in a browserless flow will result in a helpful error message
being returned.
 2024-07-10 09:32:23 -07:00
Ryan Richard
dd80627dfa Merge pull request #2007 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-10 08:58:13 -07:00
Pinny
f79c844c71 Bump dependencies 2024-07-10 13:01:25 +00:00
dependabot[bot]
cb550dfed0 Bump golang.org/x/mod from 0.18.0 to 0.19.0 in /hack/update-go-mod 
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.18.0 to 0.19.0.
- [Commits](https://github.com/golang/mod/compare/v0.18.0...v0.19.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-07-05 01:48:54 +00:00
Ryan Richard
602623a0ba Merge pull request #2005 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-02 15:30:16 -07:00
Pinny
6d7646c0a2 Bump dependencies 2024-07-02 13:02:03 +00:00
Ryan Richard
51518aeb03 Merge pull request #2004 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-07-01 10:43:24 -07:00
Pinny
f3e710c814 Bump dependencies 2024-07-01 13:02:17 +00:00
Ryan Richard
b132b14982 Merge pull request #2003 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-06-27 13:29:03 -07:00
Pinny
6cd45fa81c Bump dependencies 2024-06-27 17:43:41 +00:00
Ryan Richard
95e4b8fcdf Merge pull request #2001 from vmware-tanzu/replace_go-retryablehttp 
replace indirect dep go-retryablehttp
 2024-06-27 10:23:12 -07:00
Ryan Richard
b4cd64e999 replace indirect dep go-retryablehttp 2024-06-25 11:22:42 -07:00
Ryan Richard
82dbb93e2c Merge pull request #1999 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-06-24 12:03:08 -07:00
Pinny
b7e12334d6 Bump dependencies 2024-06-24 17:42:49 +00:00
Ryan Richard
a39eac6f1b Merge pull request #1998 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-06-21 16:10:57 -07:00
Ryan Richard
418ec2a01f Merge pull request #1997 from vmware-tanzu/upgrade_jose_and_coreosoidc 
upgrade github.com/go-jose/go-jose and github.com/coreos/go-oidc
 2024-06-21 13:10:45 -07:00
Ryan Richard
0380a9ce33 upgrade github.com/go-jose/go-jose and github.com/coreos/go-oidc 
Also standardize some related imports and fix some whitespace in a test
 2024-06-21 11:16:40 -07:00
Pinny
ed338d1455 Bump dependencies 2024-06-21 13:05:15 +00:00
Ryan Richard
10699314d4 Merge pull request #1995 from vmware-tanzu/pinny/bump-deps 
Bump dependencies
 2024-06-20 09:01:59 -07:00
Pinny
1f7b6133cd Bump dependencies 2024-06-20 13:02:20 +00:00
Ashish Amarnath
3c0ed4d5e3 Merge pull request #1984 from vmware-tanzu/jtc/add-proposal-for-secret-ref-ca-bundles 
Add proposal for CA bundles to be sourced from configmaps or secrets
 2024-06-19 16:21:47 -07:00
Ashish Amarnath
e38f0824dc update proposal for CA bundles from secret and configmap refs 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
 2024-06-19 16:19:31 -07:00
Ryan Richard
a7d2c50550 Merge pull request #1993 from vmware-tanzu/local_demo 
add local demo tutorial to site
 2024-06-19 14:21:43 -07:00
Joshua Casey
9fee276214 Add proposal for CA bundles from secret refs 2024-06-19 13:48:44 -07:00
Ryan Richard
ef7c7d879b add local demo tutorial to site 2024-06-19 13:02:02 -07:00
Pinny
ea64444c8b Updated versions in docs for v0.32.0 release 2024-06-19 19:08:25 +00:00
257 changed files with 14890 additions and 3105 deletions
Expand all files Collapse all files

8
.golangci.yaml
View File

@@ -109,11 +109,17 @@ linters-settings:
# k8s.io
- pkg: k8s.io/api/core/v1
alias: corev1
# OAuth2/OIDC/Fosite
# OAuth2/OIDC/Fosite/JOSE
- pkg: github.com/coreos/go-oidc/v3/oidc
alias: coreosoidc
- pkg: github.com/ory/fosite/handler/oauth2
alias: fositeoauth2
- pkg: github.com/ory/fosite/token/jwt
alias: fositejwt
- pkg: github.com/go-jose/go-jose/v4/jwt
alias: josejwt
- pkg: github.com/go-jose/go-jose/v3
alias: oldjosev3
# Generated Pinniped
- pkg: go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
alias: authenticationv1alpha1

4
Dockerfile
View File

@@ -3,8 +3,8 @@
# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
ARG BUILD_IMAGE=golang:1.22.4@sha256:c2010b9c2342431a24a2e64e33d9eb2e484af49e72c820e200d332d214d5e61f
ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:e9ac71e2b8e279a8372741b7a0293afda17650d926900233ec3a7b2b7c22a246
ARG BUILD_IMAGE=golang:1.22.5@sha256:86a3c48a61915a8c62c0e1d7594730399caa3feb73655dfe96c7bc17710e96cf
ARG BASE_IMAGE=gcr.io/distroless/static:nonroot@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65
# Prepare to cross-compile by always running the build stage in the build platform, not the target platform.
FROM --platform=$BUILDPLATFORM $BUILD_IMAGE as build-env

1
apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go.tmpl
View File

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type JWTAuthenticator struct {

40
apis/concierge/authentication/v1alpha1/types_tls.go.tmpl
View File

@@ -1,11 +1,47 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for configuring TLS on various authenticators.
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration on various authenticators.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

1
apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go.tmpl
View File

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type WebhookAuthenticator struct {

4
apis/concierge/config/v1alpha1/types_credentialissuer.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
}
// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
// Allowed values are "auto", "enabled", or "disabled".
//
// +kubebuilder:validation:Enum=auto;enabled;disabled
type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
)
// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
// Allowed values are "LoadBalancer", "ClusterIP", or "None".
//
// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
type ImpersonationProxyServiceType string

4
apis/supervisor/config/v1alpha1/types_federationdomain.go.tmpl
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// Allowed values are "string" or "stringList".
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// Allowed values are "policy/v1", "username/v1", or "groups/v1".
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`

11
apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go.tmpl
View File

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// Only specify domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
// Note that this field should not be needed when using GitHub's public API ("github.com").
// However, if you choose to specify this field when using GitHub's public API, you must
// specify a CA bundle that will verify connections to "api.github.com".
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
// Defaults to "OnlyUsersFromAllowedOrganizations".
//
// Must be set to "AllGitHubUsers" if the allowed field is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.

36
apis/supervisor/idp/v1alpha1/types_tls.go.tmpl
View File

@@ -3,9 +3,45 @@
package v1alpha1
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

36
deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
View File

@@ -25,6 +25,9 @@ spec:
- jsonPath: .spec.audience
name: Audience
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -92,6 +95,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- audience

36
deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
View File

@@ -22,6 +22,9 @@ spec:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -63,6 +66,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- endpoint

10
deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
View File

@@ -143,8 +143,9 @@ spec:
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
description: |-
Type determines the type of the constant, and indicates which other field should be non-empty.
Allowed values are "string" or "stringList".
enum:
- string
- stringList
@@ -262,8 +263,9 @@ spec:
an authentication attempt. When empty, a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
description: |-
Type determines the type of the expression. It must be one of the supported types.
Allowed values are "policy/v1", "username/v1", or "groups/v1".
enum:
- policy/v1
- username/v1

33
deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
View File

@@ -170,6 +170,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

48
deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
View File

@@ -89,7 +89,11 @@ spec:
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
Defaults to "OnlyUsersFromAllowedOrganizations".
Must be set to "AllGitHubUsers" if the allowed field is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
Only specify domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
description: |-
TLS configuration for GitHub Enterprise Server.
Note that this field should not be needed when using GitHub's public API ("github.com").
However, if you choose to specify this field when using GitHub's public API, you must
specify a CA bundle that will verify connections to "api.github.com".
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
type: object
required:

33
deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
View File

@@ -161,6 +161,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

33
deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
View File

@@ -211,6 +211,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- client

3
deploy/supervisor/rbac.yaml
View File

@@ -16,6 +16,9 @@ rules:
- apiGroups: [""]
resources: [secrets]
verbs: [create, get, list, patch, update, watch, delete]
- apiGroups: [""]
resources: [configmaps]
verbs: [get, list, watch]
- apiGroups:
- #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
resources: [federationdomains]

96
generated/1.24/README.adoc generated
View File

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
==== JWTAuthenticator
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for configuring TLS on various authenticators.
TLSSpec provides TLS configuration on various authenticators.
.Appears In:
****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
==== ImpersonationProxyMode (string)
ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
Allowed values are "auto", "enabled", or "disabled".
.Appears In:
****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
==== ImpersonationProxyServiceType (string)
ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
Allowed values are "LoadBalancer", "ClusterIP", or "None".
.Appears In:
****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
Allowed values are "string" or "stringList". +
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
|===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
Allowed values are "policy/v1", "username/v1", or "groups/v1". +
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
Only specify domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
Note that this field should not be needed when using GitHub's public API ("github.com"). +
However, if you choose to specify this field when using GitHub's public API, you must +
specify a CA bundle that will verify connections to "api.github.com". +
|===
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
Defaults to "OnlyUsersFromAllowedOrganizations". +
Must be set to "AllGitHubUsers" if the allowed field is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===

1
generated/1.24/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go generated
View File

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type JWTAuthenticator struct {

40
generated/1.24/apis/concierge/authentication/v1alpha1/types_tls.go generated
View File

@@ -1,11 +1,47 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for configuring TLS on various authenticators.
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration on various authenticators.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

1
generated/1.24/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go generated
View File

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type WebhookAuthenticator struct {

25
generated/1.24/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -13,6 +13,22 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}

4
generated/1.24/apis/concierge/config/v1alpha1/types_credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
}
// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
// Allowed values are "auto", "enabled", or "disabled".
//
// +kubebuilder:validation:Enum=auto;enabled;disabled
type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
)
// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
// Allowed values are "LoadBalancer", "ClusterIP", or "None".
//
// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
type ImpersonationProxyServiceType string

4
generated/1.24/apis/supervisor/config/v1alpha1/types_federationdomain.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// Allowed values are "string" or "stringList".
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// Allowed values are "policy/v1", "username/v1", or "groups/v1".
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`

11
generated/1.24/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated
View File

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// Only specify domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
// Note that this field should not be needed when using GitHub's public API ("github.com").
// However, if you choose to specify this field when using GitHub's public API, you must
// specify a CA bundle that will verify connections to "api.github.com".
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
// Defaults to "OnlyUsersFromAllowedOrganizations".
//
// Must be set to "AllGitHubUsers" if the allowed field is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.

36
generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -3,9 +3,45 @@
package v1alpha1
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

29
generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}

36
generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -25,6 +25,9 @@ spec:
- jsonPath: .spec.audience
name: Audience
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -92,6 +95,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- audience

36
generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -22,6 +22,9 @@ spec:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -63,6 +66,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- endpoint

10
generated/1.24/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -143,8 +143,9 @@ spec:
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
description: |-
Type determines the type of the constant, and indicates which other field should be non-empty.
Allowed values are "string" or "stringList".
enum:
- string
- stringList
@@ -262,8 +263,9 @@ spec:
an authentication attempt. When empty, a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
description: |-
Type determines the type of the expression. It must be one of the supported types.
Allowed values are "policy/v1", "username/v1", or "groups/v1".
enum:
- policy/v1
- username/v1

33
generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -170,6 +170,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

48
generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated
View File

@@ -89,7 +89,11 @@ spec:
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
Defaults to "OnlyUsersFromAllowedOrganizations".
Must be set to "AllGitHubUsers" if the allowed field is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
Only specify domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
description: |-
TLS configuration for GitHub Enterprise Server.
Note that this field should not be needed when using GitHub's public API ("github.com").
However, if you choose to specify this field when using GitHub's public API, you must
specify a CA bundle that will verify connections to "api.github.com".
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
type: object
required:

33
generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -161,6 +161,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

33
generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -211,6 +211,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- client

96
generated/1.25/README.adoc generated
View File

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
==== JWTAuthenticator
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for configuring TLS on various authenticators.
TLSSpec provides TLS configuration on various authenticators.
.Appears In:
****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
==== ImpersonationProxyMode (string)
ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
Allowed values are "auto", "enabled", or "disabled".
.Appears In:
****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
==== ImpersonationProxyServiceType (string)
ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
Allowed values are "LoadBalancer", "ClusterIP", or "None".
.Appears In:
****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
Allowed values are "string" or "stringList". +
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
|===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
Allowed values are "policy/v1", "username/v1", or "groups/v1". +
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
Only specify domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
Note that this field should not be needed when using GitHub's public API ("github.com"). +
However, if you choose to specify this field when using GitHub's public API, you must +
specify a CA bundle that will verify connections to "api.github.com". +
|===
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
Defaults to "OnlyUsersFromAllowedOrganizations". +
Must be set to "AllGitHubUsers" if the allowed field is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===

1
generated/1.25/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go generated
View File

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type JWTAuthenticator struct {

40
generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go generated
View File

@@ -1,11 +1,47 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for configuring TLS on various authenticators.
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration on various authenticators.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

1
generated/1.25/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go generated
View File

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type WebhookAuthenticator struct {

25
generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -13,6 +13,22 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}

4
generated/1.25/apis/concierge/config/v1alpha1/types_credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
}
// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
// Allowed values are "auto", "enabled", or "disabled".
//
// +kubebuilder:validation:Enum=auto;enabled;disabled
type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
)
// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
// Allowed values are "LoadBalancer", "ClusterIP", or "None".
//
// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
type ImpersonationProxyServiceType string

4
generated/1.25/apis/supervisor/config/v1alpha1/types_federationdomain.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// Allowed values are "string" or "stringList".
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// Allowed values are "policy/v1", "username/v1", or "groups/v1".
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`

11
generated/1.25/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated
View File

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// Only specify domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
// Note that this field should not be needed when using GitHub's public API ("github.com").
// However, if you choose to specify this field when using GitHub's public API, you must
// specify a CA bundle that will verify connections to "api.github.com".
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
// Defaults to "OnlyUsersFromAllowedOrganizations".
//
// Must be set to "AllGitHubUsers" if the allowed field is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.

36
generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -3,9 +3,45 @@
package v1alpha1
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

29
generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}

36
generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -25,6 +25,9 @@ spec:
- jsonPath: .spec.audience
name: Audience
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -92,6 +95,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- audience

36
generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -22,6 +22,9 @@ spec:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -63,6 +66,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- endpoint

10
generated/1.25/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -143,8 +143,9 @@ spec:
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
description: |-
Type determines the type of the constant, and indicates which other field should be non-empty.
Allowed values are "string" or "stringList".
enum:
- string
- stringList
@@ -262,8 +263,9 @@ spec:
an authentication attempt. When empty, a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
description: |-
Type determines the type of the expression. It must be one of the supported types.
Allowed values are "policy/v1", "username/v1", or "groups/v1".
enum:
- policy/v1
- username/v1

33
generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -170,6 +170,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

48
generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated
View File

@@ -89,7 +89,11 @@ spec:
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
Defaults to "OnlyUsersFromAllowedOrganizations".
Must be set to "AllGitHubUsers" if the allowed field is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
Only specify domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
description: |-
TLS configuration for GitHub Enterprise Server.
Note that this field should not be needed when using GitHub's public API ("github.com").
However, if you choose to specify this field when using GitHub's public API, you must
specify a CA bundle that will verify connections to "api.github.com".
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
type: object
required:

33
generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -161,6 +161,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

33
generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -211,6 +211,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- client

96
generated/1.26/README.adoc generated
View File

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
==== JWTAuthenticator
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for configuring TLS on various authenticators.
TLSSpec provides TLS configuration on various authenticators.
.Appears In:
****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
==== ImpersonationProxyMode (string)
ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
Allowed values are "auto", "enabled", or "disabled".
.Appears In:
****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
==== ImpersonationProxyServiceType (string)
ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
Allowed values are "LoadBalancer", "ClusterIP", or "None".
.Appears In:
****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
Allowed values are "string" or "stringList". +
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
|===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
Allowed values are "policy/v1", "username/v1", or "groups/v1". +
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
Only specify domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
Note that this field should not be needed when using GitHub's public API ("github.com"). +
However, if you choose to specify this field when using GitHub's public API, you must +
specify a CA bundle that will verify connections to "api.github.com". +
|===
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
Defaults to "OnlyUsersFromAllowedOrganizations". +
Must be set to "AllGitHubUsers" if the allowed field is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===

1
generated/1.26/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go generated
View File

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type JWTAuthenticator struct {

40
generated/1.26/apis/concierge/authentication/v1alpha1/types_tls.go generated
View File

@@ -1,11 +1,47 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for configuring TLS on various authenticators.
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration on various authenticators.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

1
generated/1.26/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go generated
View File

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type WebhookAuthenticator struct {

25
generated/1.26/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -13,6 +13,22 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}

4
generated/1.26/apis/concierge/config/v1alpha1/types_credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
}
// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
// Allowed values are "auto", "enabled", or "disabled".
//
// +kubebuilder:validation:Enum=auto;enabled;disabled
type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
)
// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
// Allowed values are "LoadBalancer", "ClusterIP", or "None".
//
// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
type ImpersonationProxyServiceType string

4
generated/1.26/apis/supervisor/config/v1alpha1/types_federationdomain.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// Allowed values are "string" or "stringList".
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// Allowed values are "policy/v1", "username/v1", or "groups/v1".
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`

11
generated/1.26/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated
View File

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// Only specify domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
// Note that this field should not be needed when using GitHub's public API ("github.com").
// However, if you choose to specify this field when using GitHub's public API, you must
// specify a CA bundle that will verify connections to "api.github.com".
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
// Defaults to "OnlyUsersFromAllowedOrganizations".
//
// Must be set to "AllGitHubUsers" if the allowed field is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.

36
generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -3,9 +3,45 @@
package v1alpha1
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

29
generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}

36
generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -25,6 +25,9 @@ spec:
- jsonPath: .spec.audience
name: Audience
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -92,6 +95,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- audience

36
generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -22,6 +22,9 @@ spec:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -63,6 +66,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- endpoint

10
generated/1.26/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -143,8 +143,9 @@ spec:
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
description: |-
Type determines the type of the constant, and indicates which other field should be non-empty.
Allowed values are "string" or "stringList".
enum:
- string
- stringList
@@ -262,8 +263,9 @@ spec:
an authentication attempt. When empty, a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
description: |-
Type determines the type of the expression. It must be one of the supported types.
Allowed values are "policy/v1", "username/v1", or "groups/v1".
enum:
- policy/v1
- username/v1

33
generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -170,6 +170,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

48
generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated
View File

@@ -89,7 +89,11 @@ spec:
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
Defaults to "OnlyUsersFromAllowedOrganizations".
Must be set to "AllGitHubUsers" if the allowed field is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
Only specify domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
description: |-
TLS configuration for GitHub Enterprise Server.
Note that this field should not be needed when using GitHub's public API ("github.com").
However, if you choose to specify this field when using GitHub's public API, you must
specify a CA bundle that will verify connections to "api.github.com".
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
type: object
required:

33
generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -161,6 +161,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

33
generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -211,6 +211,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- client

96
generated/1.27/README.adoc generated
View File

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
==== JWTAuthenticator
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for configuring TLS on various authenticators.
TLSSpec provides TLS configuration on various authenticators.
.Appears In:
****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
==== ImpersonationProxyMode (string)
ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
Allowed values are "auto", "enabled", or "disabled".
.Appears In:
****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
==== ImpersonationProxyServiceType (string)
ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
Allowed values are "LoadBalancer", "ClusterIP", or "None".
.Appears In:
****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
Allowed values are "string" or "stringList". +
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
|===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
Allowed values are "policy/v1", "username/v1", or "groups/v1". +
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
Only specify domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
Note that this field should not be needed when using GitHub's public API ("github.com"). +
However, if you choose to specify this field when using GitHub's public API, you must +
specify a CA bundle that will verify connections to "api.github.com". +
|===
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
Defaults to "OnlyUsersFromAllowedOrganizations". +
Must be set to "AllGitHubUsers" if the allowed field is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===

1
generated/1.27/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go generated
View File

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type JWTAuthenticator struct {

40
generated/1.27/apis/concierge/authentication/v1alpha1/types_tls.go generated
View File

@@ -1,11 +1,47 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for configuring TLS on various authenticators.
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration on various authenticators.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

1
generated/1.27/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go generated
View File

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type WebhookAuthenticator struct {

25
generated/1.27/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -13,6 +13,22 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}

4
generated/1.27/apis/concierge/config/v1alpha1/types_credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
}
// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
// Allowed values are "auto", "enabled", or "disabled".
//
// +kubebuilder:validation:Enum=auto;enabled;disabled
type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
)
// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
// Allowed values are "LoadBalancer", "ClusterIP", or "None".
//
// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
type ImpersonationProxyServiceType string

4
generated/1.27/apis/go.mod generated
View File

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.27/apis
go 1.13
require (
k8s.io/api v0.27.15
k8s.io/apimachinery v0.27.15
k8s.io/api v0.27.16
k8s.io/apimachinery v0.27.16
)

8
generated/1.27/apis/go.sum generated
View File

@@ -330,10 +330,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
k8s.io/api v0.27.15 h1:+bR5ju3H+OjePA1DMEmHm33EzhtmqWBuQvqhTVYFXD0=
k8s.io/api v0.27.15/go.mod h1:x/uHpsq4NAAGMiHWhq3P5W1ABiw4/aUWpIeGq1XmegY=
k8s.io/apimachinery v0.27.15 h1:wT8HeVe/KNcX+QavW97ZpKiGxSN5glW39Dxvj/8wMPU=
k8s.io/apimachinery v0.27.15/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
k8s.io/api v0.27.16 h1:70IBoTuiPfd+Tm68WH0tGXQRSQq0R1xnbyhTRe8WYQY=
k8s.io/api v0.27.16/go.mod h1:5j0Cgo6X4qovBOu3OjzRwETDEYqMxq2qafhDQXOPy3A=
k8s.io/apimachinery v0.27.16 h1:Nmbei3P/6w6vxbNxV8/sDCZz+TQrJ9A4+bVIRjDufuM=
k8s.io/apimachinery v0.27.16/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

4
generated/1.27/apis/supervisor/config/v1alpha1/types_federationdomain.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// Allowed values are "string" or "stringList".
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// Allowed values are "policy/v1", "username/v1", or "groups/v1".
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`

11
generated/1.27/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated
View File

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// Only specify domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
// Note that this field should not be needed when using GitHub's public API ("github.com").
// However, if you choose to specify this field when using GitHub's public API, you must
// specify a CA bundle that will verify connections to "api.github.com".
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
// Defaults to "OnlyUsersFromAllowedOrganizations".
//
// Must be set to "AllGitHubUsers" if the allowed field is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.

36
generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -3,9 +3,45 @@
package v1alpha1
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

29
generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
@@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
*out = *in
@@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
out.Bind = in.Bind
out.UserSearch = in.UserSearch
@@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig)
in.Claims.DeepCopyInto(&out.Claims)
@@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}

4
generated/1.27/client/go.mod generated
View File

@@ -7,7 +7,7 @@ replace go.pinniped.dev/generated/1.27/apis => ../apis
require (
go.pinniped.dev/generated/1.27/apis v0.0.0
k8s.io/apimachinery v0.27.15
k8s.io/client-go v0.27.15
k8s.io/apimachinery v0.27.16
k8s.io/client-go v0.27.16
k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
)

12
generated/1.27/client/go.sum generated
View File

@@ -370,12 +370,12 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
k8s.io/api v0.27.15 h1:+bR5ju3H+OjePA1DMEmHm33EzhtmqWBuQvqhTVYFXD0=
k8s.io/api v0.27.15/go.mod h1:x/uHpsq4NAAGMiHWhq3P5W1ABiw4/aUWpIeGq1XmegY=
k8s.io/apimachinery v0.27.15 h1:wT8HeVe/KNcX+QavW97ZpKiGxSN5glW39Dxvj/8wMPU=
k8s.io/apimachinery v0.27.15/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
k8s.io/client-go v0.27.15 h1:SDUs0ap/VuHPyoRiEChUhXQlh25UZAeXcm82J3TYy2w=
k8s.io/client-go v0.27.15/go.mod h1:/ULqZ7zjeuEm/fSf7A5kKmbWb2GY/CnCiquS5XzAdzo=
k8s.io/api v0.27.16 h1:70IBoTuiPfd+Tm68WH0tGXQRSQq0R1xnbyhTRe8WYQY=
k8s.io/api v0.27.16/go.mod h1:5j0Cgo6X4qovBOu3OjzRwETDEYqMxq2qafhDQXOPy3A=
k8s.io/apimachinery v0.27.16 h1:Nmbei3P/6w6vxbNxV8/sDCZz+TQrJ9A4+bVIRjDufuM=
k8s.io/apimachinery v0.27.16/go.mod h1:TWo+8wOIz3CytsrlI9k/LBWXLRr9dqf5hRSCbbggMAg=
k8s.io/client-go v0.27.16 h1:x06Jk6/SIQQ6kAsWs5uzQIkBLHtcAQlbTAgmj1tZzG0=
k8s.io/client-go v0.27.16/go.mod h1:bPZUNRj8XsHa+JVS5jU6qeU2H/Za8+7riWA08FUjaA8=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

36
generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml generated
View File

@@ -25,6 +25,9 @@ spec:
- jsonPath: .spec.audience
name: Audience
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -92,6 +95,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- audience

36
generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml generated
View File

@@ -22,6 +22,9 @@ spec:
- jsonPath: .spec.endpoint
name: Endpoint
type: string
- jsonPath: .status.phase
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
@@ -63,6 +66,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- endpoint

10
generated/1.27/crds/config.supervisor.pinniped.dev_federationdomains.yaml generated
View File

@@ -143,8 +143,9 @@ spec:
Type is "string", and is otherwise ignored.
type: string
type:
description: Type determines the type of the constant,
and indicates which other field should be non-empty.
description: |-
Type determines the type of the constant, and indicates which other field should be non-empty.
Allowed values are "string" or "stringList".
enum:
- string
- stringList
@@ -262,8 +263,9 @@ spec:
an authentication attempt. When empty, a default message will be used.
type: string
type:
description: Type determines the type of the expression.
It must be one of the supported types.
description: |-
Type determines the type of the expression. It must be one of the supported types.
Allowed values are "policy/v1", "username/v1", or "groups/v1".
enum:
- policy/v1
- username/v1

33
generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml generated
View File

@@ -170,6 +170,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

48
generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml generated
View File

@@ -89,7 +89,11 @@ spec:
policy:
default: OnlyUsersFromAllowedOrganizations
description: |-
Policy must be set to "AllGitHubUsers" if allowed is empty.
Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
Defaults to "OnlyUsersFromAllowedOrganizations".
Must be set to "AllGitHubUsers" if the allowed field is empty.
This field only exists to ensure that Pinniped administrators are aware that an empty list of
@@ -210,21 +214,59 @@ spec:
description: |-
Host is required only for GitHub Enterprise Server.
Defaults to using GitHub's public API ("github.com").
For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
Do not specify a protocol or scheme since "https://" will always be used.
Port is optional. Do not specify a path, query, fragment, or userinfo.
Only domain name or IP address, subdomains (optional), and port (optional).
Only specify domain name or IP address, subdomains (optional), and port (optional).
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
in square brackets. Example: "[::1]:443".
minLength: 1
type: string
tls:
description: TLS configuration for GitHub Enterprise Server.
description: |-
TLS configuration for GitHub Enterprise Server.
Note that this field should not be needed when using GitHub's public API ("github.com").
However, if you choose to specify this field when using GitHub's public API, you must
specify a CA bundle that will verify connections to "api.github.com".
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM
bundle). If omitted, a default set of system roots will
be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
type: object
required:

33
generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml generated
View File

@@ -161,6 +161,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
userSearch:
description: UserSearch contains the configuration for searching for

33
generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml generated
View File

@@ -211,6 +211,39 @@ spec:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
If omitted, a default set of system roots will be trusted.
type: string
certificateAuthorityDataSource:
description: |-
Reference to a CA bundle in a secret or a configmap.
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
properties:
key:
description: |-
Key is the key name within the secret or configmap from which to read the CA bundle.
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
certificate bundle.
minLength: 1
type: string
kind:
description: |-
Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
Allowed values are "Secret" or "ConfigMap".
"ConfigMap" uses a Kubernetes configmap to source CA Bundles.
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
enum:
- Secret
- ConfigMap
type: string
name:
description: |-
Name is the resource name of the secret or configmap from which to read the CA bundle.
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
minLength: 1
type: string
required:
- key
- kind
- name
type: object
type: object
required:
- client

96
generated/1.28/README.adoc generated
View File

@@ -23,6 +23,43 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-jwtauthenticator"]
==== JWTAuthenticator
@@ -125,7 +162,7 @@ username from the JWT token. When not specified, it will default to "username".
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-tlsspec"]
==== TLSSpec
Configuration for configuring TLS on various authenticators.
TLSSpec provides TLS configuration on various authenticators.
.Appears In:
****
@@ -137,6 +174,8 @@ Configuration for configuring TLS on various authenticators.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===
@@ -503,6 +542,7 @@ ImpersonationProxyInfo describes the parameters for the impersonation proxy on t
==== ImpersonationProxyMode (string)
ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
Allowed values are "auto", "enabled", or "disabled".
.Appears In:
****
@@ -539,6 +579,7 @@ This is not supported on all cloud providers. +
==== ImpersonationProxyServiceType (string)
ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
Allowed values are "LoadBalancer", "ClusterIP", or "None".
.Appears In:
****
@@ -928,6 +969,7 @@ the transform expressions. This is a union type, and Type is the discriminator f
| Field | Description
| *`name`* __string__ | Name determines the name of the constant. It must be a valid identifier name. +
| *`type`* __string__ | Type determines the type of the constant, and indicates which other field should be non-empty. +
Allowed values are "string" or "stringList". +
| *`stringValue`* __string__ | StringValue should hold the value when Type is "string", and is otherwise ignored. +
| *`stringListValue`* __string array__ | StringListValue should hold the value when Type is "stringList", and is otherwise ignored. +
|===
@@ -994,6 +1036,7 @@ FederationDomainTransformsExpression defines a transform expression.
|===
| Field | Description
| *`type`* __string__ | Type determines the type of the expression. It must be one of the supported types. +
Allowed values are "policy/v1", "username/v1", or "groups/v1". +
| *`expression`* __string__ | Expression is a CEL expression that will be evaluated based on the Type during an authentication. +
| *`message`* __string__ | Message is only used when Type is policy/v1. It defines an error message to be used when the policy rejects +
an authentication attempt. When empty, a default message will be used. +
@@ -1645,6 +1688,43 @@ Optional, when empty this defaults to "objectGUID". +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind"]
==== CertificateAuthorityDataSourceKind (string)
CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]
****
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec"]
==== CertificateAuthorityDataSourceSpec
CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
.Appears In:
****
- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]
****
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`kind`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcekind[$$CertificateAuthorityDataSourceKind$$]__ | Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap. +
Allowed values are "Secret" or "ConfigMap". +
"ConfigMap" uses a Kubernetes configmap to source CA Bundles. +
"Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles. +
| *`name`* __string__ | Name is the resource name of the secret or configmap from which to read the CA bundle. +
The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed. +
| *`key`* __string__ | Key is the key name within the secret or configmap from which to read the CA bundle. +
The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded +
certificate bundle. +
|===
[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig"]
==== GitHubAPIConfig
@@ -1660,12 +1740,16 @@ GitHubAPIConfig allows configuration for GitHub Enterprise Server
| Field | Description
| *`host`* __string__ | Host is required only for GitHub Enterprise Server. +
Defaults to using GitHub's public API ("github.com"). +
For convenience, specifying "github.com" is equivalent to specifying "api.github.com". +
Do not specify a protocol or scheme since "https://" will always be used. +
Port is optional. Do not specify a path, query, fragment, or userinfo. +
Only domain name or IP address, subdomains (optional), and port (optional). +
Only specify domain name or IP address, subdomains (optional), and port (optional). +
IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address +
in square brackets. Example: "[::1]:443". +
| *`tls`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration for GitHub Enterprise Server. +
Note that this field should not be needed when using GitHub's public API ("github.com"). +
However, if you choose to specify this field when using GitHub's public API, you must +
specify a CA bundle that will verify connections to "api.github.com". +
|===
@@ -1890,7 +1974,11 @@ GitHubIdentityProviderStatus is the status of an GitHub identity provider.
[cols="25a,75a", options="header"]
|===
| Field | Description
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Policy must be set to "AllGitHubUsers" if allowed is empty. +
| *`policy`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githuballowedauthorganizationspolicy[$$GitHubAllowedAuthOrganizationsPolicy$$]__ | Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers". +
Defaults to "OnlyUsersFromAllowedOrganizations". +
Must be set to "AllGitHubUsers" if the allowed field is empty. +
This field only exists to ensure that Pinniped administrators are aware that an empty list of +
@@ -2401,6 +2489,8 @@ TLSSpec provides TLS configuration for identity provider integration.
|===
| Field | Description
| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +
| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-certificateauthoritydatasourcespec[$$CertificateAuthorityDataSourceSpec$$]__ | Reference to a CA bundle in a secret or a configmap. +
Any changes to the CA bundle in the secret or configmap will be dynamically reloaded. +
|===

1
generated/1.28/apis/concierge/authentication/v1alpha1/types_jwtauthenticator.go generated
View File

@@ -79,6 +79,7 @@ type JWTTokenClaims struct {
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer`
// +kubebuilder:printcolumn:name="Audience",type=string,JSONPath=`.spec.audience`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type JWTAuthenticator struct {

40
generated/1.28/apis/concierge/authentication/v1alpha1/types_tls.go generated
View File

@@ -1,11 +1,47 @@
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
// Configuration for configuring TLS on various authenticators.
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Concierge is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration on various authenticators.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

1
generated/1.28/apis/concierge/authentication/v1alpha1/types_webhookauthenticator.go generated
View File

@@ -50,6 +50,7 @@ type WebhookAuthenticatorSpec struct {
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:categories=pinniped;pinniped-authenticator;pinniped-authenticators,scope=Cluster
// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase`
// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
// +kubebuilder:subresource:status
type WebhookAuthenticator struct {

25
generated/1.28/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -13,6 +13,22 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertificateAuthorityDataSourceSpec) DeepCopyInto(out *CertificateAuthorityDataSourceSpec) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityDataSourceSpec.
func (in *CertificateAuthorityDataSourceSpec) DeepCopy() *CertificateAuthorityDataSourceSpec {
if in == nil {
return nil
}
out := new(CertificateAuthorityDataSourceSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) {
*out = *in
@@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) {
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}
@@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLSSpec) DeepCopyInto(out *TLSSpec) {
*out = *in
if in.CertificateAuthorityDataSource != nil {
in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource
*out = new(CertificateAuthorityDataSourceSpec)
**out = **in
}
return
}
@@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec)
if in.TLS != nil {
in, out := &in.TLS, &out.TLS
*out = new(TLSSpec)
**out = **in
(*in).DeepCopyInto(*out)
}
return
}

4
generated/1.28/apis/concierge/config/v1alpha1/types_credentialissuer.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -49,6 +49,7 @@ type CredentialIssuerSpec struct {
}
// ImpersonationProxyMode enumerates the configuration modes for the impersonation proxy.
// Allowed values are "auto", "enabled", or "disabled".
//
// +kubebuilder:validation:Enum=auto;enabled;disabled
type ImpersonationProxyMode string
@@ -65,6 +66,7 @@ const (
)
// ImpersonationProxyServiceType enumerates the types of service that can be provisioned for the impersonation proxy.
// Allowed values are "LoadBalancer", "ClusterIP", or "None".
//
// +kubebuilder:validation:Enum=LoadBalancer;ClusterIP;None
type ImpersonationProxyServiceType string

4
generated/1.28/apis/go.mod generated
View File

@@ -4,6 +4,6 @@ module go.pinniped.dev/generated/1.28/apis
go 1.13
require (
k8s.io/api v0.28.11
k8s.io/apimachinery v0.28.11
k8s.io/api v0.28.12
k8s.io/apimachinery v0.28.12
)

8
generated/1.28/apis/go.sum generated
View File

@@ -297,10 +297,10 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
k8s.io/api v0.28.11 h1:2qFr3jSpjy/9QirmlRP0LZeomexuwyRlE8CWUn9hPNY=
k8s.io/api v0.28.11/go.mod h1:nQSGyxQ2sbS73i1zEJyaktFvFfD72z/7nU+LqxzNnXk=
k8s.io/apimachinery v0.28.11 h1:Ovrx7IOkKSgFJn8+d5BXOC7POzP4i7kOAVlx46iRQ04=
k8s.io/apimachinery v0.28.11/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o=
k8s.io/api v0.28.12 h1:C2hpsaso18pqn0Dmkfnbv/YCctozTC3KGGuZ6bF7zhQ=
k8s.io/api v0.28.12/go.mod h1:qjswI+whxvf9LAKD4sEYHfy+WgHGWeH+H5sCRQMwZAQ=
k8s.io/apimachinery v0.28.12 h1:VepMEVOi9o7L/4wMAXJq+3BK9tqBIeerTB+HSOTKeo0=
k8s.io/apimachinery v0.28.12/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

4
generated/1.28/apis/supervisor/config/v1alpha1/types_federationdomain.go generated
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package v1alpha1
@@ -55,6 +55,7 @@ type FederationDomainTransformsConstant struct {
Name string `json:"name"`
// Type determines the type of the constant, and indicates which other field should be non-empty.
// Allowed values are "string" or "stringList".
// +kubebuilder:validation:Enum=string;stringList
Type string `json:"type"`
@@ -70,6 +71,7 @@ type FederationDomainTransformsConstant struct {
// FederationDomainTransformsExpression defines a transform expression.
type FederationDomainTransformsExpression struct {
// Type determines the type of the expression. It must be one of the supported types.
// Allowed values are "policy/v1", "username/v1", or "groups/v1".
// +kubebuilder:validation:Enum=policy/v1;username/v1;groups/v1
Type string `json:"type"`

11
generated/1.28/apis/supervisor/idp/v1alpha1/types_githubidentityprovider.go generated
View File

@@ -53,9 +53,10 @@ type GitHubIdentityProviderStatus struct {
type GitHubAPIConfig struct {
// Host is required only for GitHub Enterprise Server.
// Defaults to using GitHub's public API ("github.com").
// For convenience, specifying "github.com" is equivalent to specifying "api.github.com".
// Do not specify a protocol or scheme since "https://" will always be used.
// Port is optional. Do not specify a path, query, fragment, or userinfo.
// Only domain name or IP address, subdomains (optional), and port (optional).
// Only specify domain name or IP address, subdomains (optional), and port (optional).
// IPv4 and IPv6 are supported. If using an IPv6 address with a port, you must enclose the IPv6 address
// in square brackets. Example: "[::1]:443".
//
@@ -65,6 +66,9 @@ type GitHubAPIConfig struct {
Host *string `json:"host"`
// TLS configuration for GitHub Enterprise Server.
// Note that this field should not be needed when using GitHub's public API ("github.com").
// However, if you choose to specify this field when using GitHub's public API, you must
// specify a CA bundle that will verify connections to "api.github.com".
//
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
@@ -167,7 +171,10 @@ type GitHubClientSpec struct {
}
type GitHubOrganizationsSpec struct {
// Policy must be set to "AllGitHubUsers" if allowed is empty.
// Allowed values are "OnlyUsersFromAllowedOrganizations" or "AllGitHubUsers".
// Defaults to "OnlyUsersFromAllowedOrganizations".
//
// Must be set to "AllGitHubUsers" if the allowed field is empty.
//
// This field only exists to ensure that Pinniped administrators are aware that an empty list of
// allowedOrganizations means all GitHub users are allowed to log in.

36
generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go generated
View File

@@ -3,9 +3,45 @@
package v1alpha1
// CertificateAuthorityDataSourceKind enumerates the sources for CA Bundles.
//
// +kubebuilder:validation:Enum=Secret;ConfigMap
type CertificateAuthorityDataSourceKind string
const (
// CertificateAuthorityDataSourceKindConfigMap uses a Kubernetes configmap to source CA Bundles.
CertificateAuthorityDataSourceKindConfigMap = CertificateAuthorityDataSourceKind("ConfigMap")
// CertificateAuthorityDataSourceKindSecret uses a Kubernetes secret to source CA Bundles.
// Secrets used to source CA Bundles must be of type kubernetes.io/tls or Opaque.
CertificateAuthorityDataSourceKindSecret = CertificateAuthorityDataSourceKind("Secret")
)
// CertificateAuthorityDataSourceSpec provides a source for CA bundle used for client-side TLS verification.
type CertificateAuthorityDataSourceSpec struct {
// Kind configures whether the CA bundle is being sourced from a Kubernetes secret or a configmap.
// Allowed values are "Secret" or "ConfigMap".
// "ConfigMap" uses a Kubernetes configmap to source CA Bundles.
// "Secret" uses Kubernetes secrets of type kubernetes.io/tls or Opaque to source CA Bundles.
Kind CertificateAuthorityDataSourceKind `json:"kind"`
// Name is the resource name of the secret or configmap from which to read the CA bundle.
// The referenced secret or configmap must be created in the same namespace where Pinniped Supervisor is installed.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// Key is the key name within the secret or configmap from which to read the CA bundle.
// The value found at this key in the secret or configmap must not be empty, and must be a valid PEM-encoded
// certificate bundle.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
// TLSSpec provides TLS configuration for identity provider integration.
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
// Reference to a CA bundle in a secret or a configmap.
// Any changes to the CA bundle in the secret or configmap will be dynamically reloaded.
// +optional
CertificateAuthorityDataSource *CertificateAuthorityDataSourceSpec `json:"certificateAuthorityDataSource,omitempty"`
}

Some files were not shown because too many files have changed in this diff Show More