From 19c3f2cb04c47de0e32caf314b46953b7324a7ce Mon Sep 17 00:00:00 2001 From: Ashish Amarnath Date: Fri, 21 Jun 2024 13:39:20 -0700 Subject: [PATCH] run hack/update.sh Signed-off-by: Ashish Amarnath --- ...cierge.pinniped.dev_jwtauthenticators.yaml | 27 ++++++++++++ ...ge.pinniped.dev_webhookauthenticators.yaml | 27 ++++++++++++ ....dev_activedirectoryidentityproviders.yaml | 27 ++++++++++++ ....pinniped.dev_githubidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_ldapidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 27 ++++++++++++ generated/1.24/README.adoc | 44 +++++++++++++++++++ .../authentication/v1alpha1/types_tls.go | 18 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++- .../apis/supervisor/idp/v1alpha1/types_tls.go | 19 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 29 ++++++++++-- ...cierge.pinniped.dev_jwtauthenticators.yaml | 27 ++++++++++++ ...ge.pinniped.dev_webhookauthenticators.yaml | 27 ++++++++++++ ....dev_activedirectoryidentityproviders.yaml | 27 ++++++++++++ ....pinniped.dev_githubidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_ldapidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 27 ++++++++++++ generated/1.25/README.adoc | 44 +++++++++++++++++++ .../authentication/v1alpha1/types_tls.go | 18 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++- .../apis/supervisor/idp/v1alpha1/types_tls.go | 19 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 29 ++++++++++-- ...cierge.pinniped.dev_jwtauthenticators.yaml | 27 ++++++++++++ ...ge.pinniped.dev_webhookauthenticators.yaml | 27 ++++++++++++ ....dev_activedirectoryidentityproviders.yaml | 27 ++++++++++++ ....pinniped.dev_githubidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_ldapidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 27 ++++++++++++ generated/1.26/README.adoc | 44 +++++++++++++++++++ .../authentication/v1alpha1/types_tls.go | 18 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++- .../apis/supervisor/idp/v1alpha1/types_tls.go | 19 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 29 ++++++++++-- ...cierge.pinniped.dev_jwtauthenticators.yaml | 27 ++++++++++++ ...ge.pinniped.dev_webhookauthenticators.yaml | 27 ++++++++++++ ....dev_activedirectoryidentityproviders.yaml | 27 ++++++++++++ ....pinniped.dev_githubidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_ldapidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 27 ++++++++++++ generated/1.27/README.adoc | 44 +++++++++++++++++++ .../authentication/v1alpha1/types_tls.go | 18 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++- .../apis/supervisor/idp/v1alpha1/types_tls.go | 19 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 29 ++++++++++-- ...cierge.pinniped.dev_jwtauthenticators.yaml | 27 ++++++++++++ ...ge.pinniped.dev_webhookauthenticators.yaml | 27 ++++++++++++ ....dev_activedirectoryidentityproviders.yaml | 27 ++++++++++++ ....pinniped.dev_githubidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_ldapidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 27 ++++++++++++ generated/1.28/README.adoc | 44 +++++++++++++++++++ .../authentication/v1alpha1/types_tls.go | 18 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++- .../apis/supervisor/idp/v1alpha1/types_tls.go | 19 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 29 ++++++++++-- ...cierge.pinniped.dev_jwtauthenticators.yaml | 27 ++++++++++++ ...ge.pinniped.dev_webhookauthenticators.yaml | 27 ++++++++++++ ....dev_activedirectoryidentityproviders.yaml | 27 ++++++++++++ ....pinniped.dev_githubidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_ldapidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 27 ++++++++++++ generated/1.29/README.adoc | 44 +++++++++++++++++++ .../authentication/v1alpha1/types_tls.go | 18 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++- .../apis/supervisor/idp/v1alpha1/types_tls.go | 19 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 29 ++++++++++-- ...cierge.pinniped.dev_jwtauthenticators.yaml | 27 ++++++++++++ ...ge.pinniped.dev_webhookauthenticators.yaml | 27 ++++++++++++ ....dev_activedirectoryidentityproviders.yaml | 27 ++++++++++++ ....pinniped.dev_githubidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_ldapidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 27 ++++++++++++ generated/1.30/README.adoc | 44 +++++++++++++++++++ .../authentication/v1alpha1/types_tls.go | 18 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++- .../apis/supervisor/idp/v1alpha1/types_tls.go | 19 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 29 ++++++++++-- ...cierge.pinniped.dev_jwtauthenticators.yaml | 27 ++++++++++++ ...ge.pinniped.dev_webhookauthenticators.yaml | 27 ++++++++++++ ....dev_activedirectoryidentityproviders.yaml | 27 ++++++++++++ ....pinniped.dev_githubidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_ldapidentityproviders.yaml | 27 ++++++++++++ ...or.pinniped.dev_oidcidentityproviders.yaml | 27 ++++++++++++ generated/latest/README.adoc | 44 +++++++++++++++++++ .../authentication/v1alpha1/types_tls.go | 18 ++++++++ .../v1alpha1/zz_generated.deepcopy.go | 25 ++++++++++- .../apis/supervisor/idp/v1alpha1/types_tls.go | 19 ++++++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 29 ++++++++++-- 88 files changed, 2328 insertions(+), 48 deletions(-) diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index d59fcb783..1e503bda2 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -92,6 +92,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - audience diff --git a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 4ccd53770..b3b024977 100644 --- a/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -63,6 +63,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - endpoint diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 062251102..8940aebb9 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -170,6 +170,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml index f93108700..39db773a2 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -225,6 +225,33 @@ spec: bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object type: object required: diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 711e9a754..34f0cb92a 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -161,6 +161,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index acfca1573..ff69c2d8c 100644 --- a/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -211,6 +211,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - client diff --git a/generated/1.24/README.adoc b/generated/1.24/README.adoc index 3311e31fc..9c8e11adf 100644 --- a/generated/1.24/README.adoc +++ b/generated/1.24/README.adoc @@ -23,6 +23,27 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-jwtauthenticator"] ==== JWTAuthenticator @@ -137,6 +158,7 @@ Configuration for configuring TLS on various authenticators. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-concierge-authentication-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== @@ -1645,6 +1667,27 @@ Optional, when empty this defaults to "objectGUID". + |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-githubapiconfig"] ==== GitHubAPIConfig @@ -2401,6 +2444,7 @@ TLSSpec provides TLS configuration for identity provider integration. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-24-apis-supervisor-idp-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== diff --git a/generated/1.24/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.24/apis/concierge/authentication/v1alpha1/types_tls.go index 12231665d..e8916dfa5 100644 --- a/generated/1.24/apis/concierge/authentication/v1alpha1/types_tls.go +++ b/generated/1.24/apis/concierge/authentication/v1alpha1/types_tls.go @@ -3,9 +3,27 @@ package v1alpha1 +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // Configuration for configuring TLS on various authenticators. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.24/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 5d36cf81b..27cbcc844 100644 --- a/generated/1.24/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -13,6 +13,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = *in @@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } @@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go index 49b49373c..c0fc606f6 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/types_tls.go @@ -3,9 +3,28 @@ package v1alpha1 + +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index e48860e82..41d44d226 100644 --- a/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.24/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { *out = *in @@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) in.Claims.DeepCopyInto(&out.Claims) @@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } diff --git a/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index d59fcb783..1e503bda2 100644 --- a/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.24/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -92,6 +92,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - audience diff --git a/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 4ccd53770..b3b024977 100644 --- a/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.24/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -63,6 +63,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - endpoint diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 062251102..8940aebb9 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -170,6 +170,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml index f93108700..39db773a2 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -225,6 +225,33 @@ spec: bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object type: object required: diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 711e9a754..34f0cb92a 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -161,6 +161,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index acfca1573..ff69c2d8c 100644 --- a/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.24/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -211,6 +211,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - client diff --git a/generated/1.25/README.adoc b/generated/1.25/README.adoc index 3ae558150..e3cc6695a 100644 --- a/generated/1.25/README.adoc +++ b/generated/1.25/README.adoc @@ -23,6 +23,27 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-jwtauthenticator"] ==== JWTAuthenticator @@ -137,6 +158,7 @@ Configuration for configuring TLS on various authenticators. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-concierge-authentication-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== @@ -1645,6 +1667,27 @@ Optional, when empty this defaults to "objectGUID". + |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-githubapiconfig"] ==== GitHubAPIConfig @@ -2401,6 +2444,7 @@ TLSSpec provides TLS configuration for identity provider integration. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-25-apis-supervisor-idp-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== diff --git a/generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go index 12231665d..e8916dfa5 100644 --- a/generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go +++ b/generated/1.25/apis/concierge/authentication/v1alpha1/types_tls.go @@ -3,9 +3,27 @@ package v1alpha1 +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // Configuration for configuring TLS on various authenticators. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 5d36cf81b..27cbcc844 100644 --- a/generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.25/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -13,6 +13,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = *in @@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } @@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go index 49b49373c..c0fc606f6 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/types_tls.go @@ -3,9 +3,28 @@ package v1alpha1 + +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index e48860e82..41d44d226 100644 --- a/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.25/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { *out = *in @@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) in.Claims.DeepCopyInto(&out.Claims) @@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } diff --git a/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index d59fcb783..1e503bda2 100644 --- a/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.25/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -92,6 +92,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - audience diff --git a/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 4ccd53770..b3b024977 100644 --- a/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.25/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -63,6 +63,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - endpoint diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 062251102..8940aebb9 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -170,6 +170,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml index f93108700..39db773a2 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -225,6 +225,33 @@ spec: bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object type: object required: diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 711e9a754..34f0cb92a 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -161,6 +161,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index acfca1573..ff69c2d8c 100644 --- a/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.25/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -211,6 +211,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - client diff --git a/generated/1.26/README.adoc b/generated/1.26/README.adoc index a3f58fc82..183d82ba9 100644 --- a/generated/1.26/README.adoc +++ b/generated/1.26/README.adoc @@ -23,6 +23,27 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-jwtauthenticator"] ==== JWTAuthenticator @@ -137,6 +158,7 @@ Configuration for configuring TLS on various authenticators. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-concierge-authentication-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== @@ -1645,6 +1667,27 @@ Optional, when empty this defaults to "objectGUID". + |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-githubapiconfig"] ==== GitHubAPIConfig @@ -2401,6 +2444,7 @@ TLSSpec provides TLS configuration for identity provider integration. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-26-apis-supervisor-idp-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== diff --git a/generated/1.26/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.26/apis/concierge/authentication/v1alpha1/types_tls.go index 12231665d..e8916dfa5 100644 --- a/generated/1.26/apis/concierge/authentication/v1alpha1/types_tls.go +++ b/generated/1.26/apis/concierge/authentication/v1alpha1/types_tls.go @@ -3,9 +3,27 @@ package v1alpha1 +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // Configuration for configuring TLS on various authenticators. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.26/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.26/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 5d36cf81b..27cbcc844 100644 --- a/generated/1.26/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.26/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -13,6 +13,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = *in @@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } @@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go index 49b49373c..c0fc606f6 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/types_tls.go @@ -3,9 +3,28 @@ package v1alpha1 + +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index e48860e82..41d44d226 100644 --- a/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.26/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { *out = *in @@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) in.Claims.DeepCopyInto(&out.Claims) @@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } diff --git a/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index d59fcb783..1e503bda2 100644 --- a/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.26/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -92,6 +92,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - audience diff --git a/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 4ccd53770..b3b024977 100644 --- a/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.26/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -63,6 +63,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - endpoint diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 062251102..8940aebb9 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -170,6 +170,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml index f93108700..39db773a2 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -225,6 +225,33 @@ spec: bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object type: object required: diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 711e9a754..34f0cb92a 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -161,6 +161,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index acfca1573..ff69c2d8c 100644 --- a/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.26/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -211,6 +211,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - client diff --git a/generated/1.27/README.adoc b/generated/1.27/README.adoc index 3fd81787a..8b3958ac5 100644 --- a/generated/1.27/README.adoc +++ b/generated/1.27/README.adoc @@ -23,6 +23,27 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-jwtauthenticator"] ==== JWTAuthenticator @@ -137,6 +158,7 @@ Configuration for configuring TLS on various authenticators. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-concierge-authentication-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== @@ -1645,6 +1667,27 @@ Optional, when empty this defaults to "objectGUID". + |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-githubapiconfig"] ==== GitHubAPIConfig @@ -2401,6 +2444,7 @@ TLSSpec provides TLS configuration for identity provider integration. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-27-apis-supervisor-idp-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== diff --git a/generated/1.27/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.27/apis/concierge/authentication/v1alpha1/types_tls.go index 12231665d..e8916dfa5 100644 --- a/generated/1.27/apis/concierge/authentication/v1alpha1/types_tls.go +++ b/generated/1.27/apis/concierge/authentication/v1alpha1/types_tls.go @@ -3,9 +3,27 @@ package v1alpha1 +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // Configuration for configuring TLS on various authenticators. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.27/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.27/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 5d36cf81b..27cbcc844 100644 --- a/generated/1.27/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.27/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -13,6 +13,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = *in @@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } @@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go index 49b49373c..c0fc606f6 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/types_tls.go @@ -3,9 +3,28 @@ package v1alpha1 + +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index e48860e82..41d44d226 100644 --- a/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.27/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { *out = *in @@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) in.Claims.DeepCopyInto(&out.Claims) @@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } diff --git a/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index d59fcb783..1e503bda2 100644 --- a/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.27/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -92,6 +92,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - audience diff --git a/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 4ccd53770..b3b024977 100644 --- a/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.27/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -63,6 +63,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - endpoint diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 062251102..8940aebb9 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -170,6 +170,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml index f93108700..39db773a2 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -225,6 +225,33 @@ spec: bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object type: object required: diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 711e9a754..34f0cb92a 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -161,6 +161,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index acfca1573..ff69c2d8c 100644 --- a/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.27/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -211,6 +211,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - client diff --git a/generated/1.28/README.adoc b/generated/1.28/README.adoc index fb7366e47..913c0b5f7 100644 --- a/generated/1.28/README.adoc +++ b/generated/1.28/README.adoc @@ -23,6 +23,27 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-jwtauthenticator"] ==== JWTAuthenticator @@ -137,6 +158,7 @@ Configuration for configuring TLS on various authenticators. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-concierge-authentication-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== @@ -1645,6 +1667,27 @@ Optional, when empty this defaults to "objectGUID". + |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-githubapiconfig"] ==== GitHubAPIConfig @@ -2401,6 +2444,7 @@ TLSSpec provides TLS configuration for identity provider integration. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-28-apis-supervisor-idp-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== diff --git a/generated/1.28/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.28/apis/concierge/authentication/v1alpha1/types_tls.go index 12231665d..e8916dfa5 100644 --- a/generated/1.28/apis/concierge/authentication/v1alpha1/types_tls.go +++ b/generated/1.28/apis/concierge/authentication/v1alpha1/types_tls.go @@ -3,9 +3,27 @@ package v1alpha1 +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // Configuration for configuring TLS on various authenticators. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.28/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.28/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 5d36cf81b..27cbcc844 100644 --- a/generated/1.28/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.28/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -13,6 +13,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = *in @@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } @@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go index 49b49373c..c0fc606f6 100644 --- a/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/types_tls.go @@ -3,9 +3,28 @@ package v1alpha1 + +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index e48860e82..41d44d226 100644 --- a/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.28/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { *out = *in @@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) in.Claims.DeepCopyInto(&out.Claims) @@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } diff --git a/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index d59fcb783..1e503bda2 100644 --- a/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.28/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -92,6 +92,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - audience diff --git a/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 4ccd53770..b3b024977 100644 --- a/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.28/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -63,6 +63,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - endpoint diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 062251102..8940aebb9 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -170,6 +170,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml index f93108700..39db773a2 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -225,6 +225,33 @@ spec: bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object type: object required: diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 711e9a754..34f0cb92a 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -161,6 +161,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index acfca1573..ff69c2d8c 100644 --- a/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.28/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -211,6 +211,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - client diff --git a/generated/1.29/README.adoc b/generated/1.29/README.adoc index 120952689..c169c7ee8 100644 --- a/generated/1.29/README.adoc +++ b/generated/1.29/README.adoc @@ -23,6 +23,27 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-jwtauthenticator"] ==== JWTAuthenticator @@ -137,6 +158,7 @@ Configuration for configuring TLS on various authenticators. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-concierge-authentication-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== @@ -1645,6 +1667,27 @@ Optional, when empty this defaults to "objectGUID". + |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-githubapiconfig"] ==== GitHubAPIConfig @@ -2401,6 +2444,7 @@ TLSSpec provides TLS configuration for identity provider integration. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-29-apis-supervisor-idp-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== diff --git a/generated/1.29/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.29/apis/concierge/authentication/v1alpha1/types_tls.go index 12231665d..e8916dfa5 100644 --- a/generated/1.29/apis/concierge/authentication/v1alpha1/types_tls.go +++ b/generated/1.29/apis/concierge/authentication/v1alpha1/types_tls.go @@ -3,9 +3,27 @@ package v1alpha1 +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // Configuration for configuring TLS on various authenticators. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.29/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.29/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 5d36cf81b..27cbcc844 100644 --- a/generated/1.29/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.29/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -13,6 +13,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = *in @@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } @@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go index 49b49373c..c0fc606f6 100644 --- a/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/types_tls.go @@ -3,9 +3,28 @@ package v1alpha1 + +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index e48860e82..41d44d226 100644 --- a/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.29/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { *out = *in @@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) in.Claims.DeepCopyInto(&out.Claims) @@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } diff --git a/generated/1.29/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.29/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index d59fcb783..1e503bda2 100644 --- a/generated/1.29/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.29/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -92,6 +92,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - audience diff --git a/generated/1.29/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.29/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 4ccd53770..b3b024977 100644 --- a/generated/1.29/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.29/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -63,6 +63,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - endpoint diff --git a/generated/1.29/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.29/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 062251102..8940aebb9 100644 --- a/generated/1.29/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -170,6 +170,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml index f93108700..39db773a2 100644 --- a/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml +++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -225,6 +225,33 @@ spec: bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object type: object required: diff --git a/generated/1.29/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.29/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 711e9a754..34f0cb92a 100644 --- a/generated/1.29/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -161,6 +161,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.29/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.29/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index acfca1573..ff69c2d8c 100644 --- a/generated/1.29/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.29/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -211,6 +211,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - client diff --git a/generated/1.30/README.adoc b/generated/1.30/README.adoc index 337aacd2a..8eb340a40 100644 --- a/generated/1.30/README.adoc +++ b/generated/1.30/README.adoc @@ -23,6 +23,27 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-authentication-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-authentication-v1alpha1-jwtauthenticator"] ==== JWTAuthenticator @@ -137,6 +158,7 @@ Configuration for configuring TLS on various authenticators. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-authentication-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== @@ -1645,6 +1667,27 @@ Optional, when empty this defaults to "objectGUID". + |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubapiconfig"] ==== GitHubAPIConfig @@ -2401,6 +2444,7 @@ TLSSpec provides TLS configuration for identity provider integration. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== diff --git a/generated/1.30/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/1.30/apis/concierge/authentication/v1alpha1/types_tls.go index 12231665d..e8916dfa5 100644 --- a/generated/1.30/apis/concierge/authentication/v1alpha1/types_tls.go +++ b/generated/1.30/apis/concierge/authentication/v1alpha1/types_tls.go @@ -3,9 +3,27 @@ package v1alpha1 +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // Configuration for configuring TLS on various authenticators. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.30/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/1.30/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 5d36cf81b..27cbcc844 100644 --- a/generated/1.30/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.30/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -13,6 +13,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = *in @@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } @@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } diff --git a/generated/1.30/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/1.30/apis/supervisor/idp/v1alpha1/types_tls.go index 49b49373c..c0fc606f6 100644 --- a/generated/1.30/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/1.30/apis/supervisor/idp/v1alpha1/types_tls.go @@ -3,9 +3,28 @@ package v1alpha1 + +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/1.30/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.30/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index e48860e82..41d44d226 100644 --- a/generated/1.30/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/1.30/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { *out = *in @@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) in.Claims.DeepCopyInto(&out.Claims) @@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } diff --git a/generated/1.30/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/generated/1.30/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml index d59fcb783..1e503bda2 100644 --- a/generated/1.30/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml +++ b/generated/1.30/crds/authentication.concierge.pinniped.dev_jwtauthenticators.yaml @@ -92,6 +92,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - audience diff --git a/generated/1.30/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/generated/1.30/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml index 4ccd53770..b3b024977 100644 --- a/generated/1.30/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml +++ b/generated/1.30/crds/authentication.concierge.pinniped.dev_webhookauthenticators.yaml @@ -63,6 +63,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - endpoint diff --git a/generated/1.30/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/generated/1.30/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml index 062251102..8940aebb9 100644 --- a/generated/1.30/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml +++ b/generated/1.30/crds/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml @@ -170,6 +170,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.30/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/generated/1.30/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml index f93108700..39db773a2 100644 --- a/generated/1.30/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml +++ b/generated/1.30/crds/idp.supervisor.pinniped.dev_githubidentityproviders.yaml @@ -225,6 +225,33 @@ spec: bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object type: object required: diff --git a/generated/1.30/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/generated/1.30/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml index 711e9a754..34f0cb92a 100644 --- a/generated/1.30/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml +++ b/generated/1.30/crds/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml @@ -161,6 +161,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object userSearch: description: UserSearch contains the configuration for searching for diff --git a/generated/1.30/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/generated/1.30/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml index acfca1573..ff69c2d8c 100644 --- a/generated/1.30/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml +++ b/generated/1.30/crds/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml @@ -211,6 +211,33 @@ spec: description: X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. type: string + certificateAuthorityDataSource: + description: Reference to a CA bundle in a secret or a configmap. + properties: + key: + description: Key within the secret or configmap from which + to read the CA bundle. + minLength: 1 + type: string + kind: + description: |- + Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + Secrets must be of type kubernetes.io/tls or Opaque. + For configmaps, the value associated with the key is not expected to be base64 encoded. + enum: + - Secret + - ConfigMap + type: string + name: + description: Name of the secret or configmap from which to + read the CA bundle. + minLength: 1 + type: string + required: + - key + - kind + - name + type: object type: object required: - client diff --git a/generated/latest/README.adoc b/generated/latest/README.adoc index 337aacd2a..8eb340a40 100644 --- a/generated/latest/README.adoc +++ b/generated/latest/README.adoc @@ -23,6 +23,27 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped concierge authenticatio +[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-authentication-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-authentication-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-authentication-v1alpha1-jwtauthenticator"] ==== JWTAuthenticator @@ -137,6 +158,7 @@ Configuration for configuring TLS on various authenticators. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-concierge-authentication-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== @@ -1645,6 +1667,27 @@ Optional, when empty this defaults to "objectGUID". + |=== +[id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-cabundlesource"] +==== CABundleSource + +CABundleSource provides a source for CA bundle used for client-side TLS verification. + +.Appears In: +**** +- xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-tlsspec[$$TLSSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`kind`* __string__ | Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + +Secrets must be of type kubernetes.io/tls or Opaque. + +For configmaps, the value associated with the key is not expected to be base64 encoded. + +| *`name`* __string__ | Name of the secret or configmap from which to read the CA bundle. + +| *`key`* __string__ | Key within the secret or configmap from which to read the CA bundle. + +|=== + + [id="{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-githubapiconfig"] ==== GitHubAPIConfig @@ -2401,6 +2444,7 @@ TLSSpec provides TLS configuration for identity provider integration. |=== | Field | Description | *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + +| *`certificateAuthorityDataSource`* __xref:{anchor_prefix}-go-pinniped-dev-generated-1-30-apis-supervisor-idp-v1alpha1-cabundlesource[$$CABundleSource$$]__ | Reference to a CA bundle in a secret or a configmap. + |=== diff --git a/generated/latest/apis/concierge/authentication/v1alpha1/types_tls.go b/generated/latest/apis/concierge/authentication/v1alpha1/types_tls.go index 12231665d..e8916dfa5 100644 --- a/generated/latest/apis/concierge/authentication/v1alpha1/types_tls.go +++ b/generated/latest/apis/concierge/authentication/v1alpha1/types_tls.go @@ -3,9 +3,27 @@ package v1alpha1 +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // Configuration for configuring TLS on various authenticators. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/latest/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go index 5d36cf81b..27cbcc844 100644 --- a/generated/latest/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/concierge/authentication/v1alpha1/zz_generated.deepcopy.go @@ -13,6 +13,22 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWTAuthenticator) DeepCopyInto(out *JWTAuthenticator) { *out = *in @@ -81,7 +97,7 @@ func (in *JWTAuthenticatorSpec) DeepCopyInto(out *JWTAuthenticatorSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -138,6 +154,11 @@ func (in *JWTTokenClaims) DeepCopy() *JWTTokenClaims { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return } @@ -218,7 +239,7 @@ func (in *WebhookAuthenticatorSpec) DeepCopyInto(out *WebhookAuthenticatorSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go b/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go index 49b49373c..c0fc606f6 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/types_tls.go @@ -3,9 +3,28 @@ package v1alpha1 + +// CABundleSource provides a source for CA bundle used for client-side TLS verification. +type CABundleSource struct { + // Whether the CA bundle is being sourced from a kubernetes secret or a configmap. + // Secrets must be of type kubernetes.io/tls or Opaque. + // For configmaps, the value associated with the key is not expected to be base64 encoded. + // +kubebuilder:validation:Enum=Secret;ConfigMap + Kind string `json:"kind"` + // Name of the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Name string `json:"name"` + // Key within the secret or configmap from which to read the CA bundle. + // +kubebuilder:validation:MinLength=1 + Key string `json:"key"` +} + // TLSSpec provides TLS configuration for identity provider integration. type TLSSpec struct { // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. // +optional CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` + // Reference to a CA bundle in a secret or a configmap. + // +optional + CertificateAuthorityDataSource *CABundleSource `json:"certificateAuthorityDataSource,omitempty"` } diff --git a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go index e48860e82..41d44d226 100644 --- a/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go +++ b/generated/latest/apis/supervisor/idp/v1alpha1/zz_generated.deepcopy.go @@ -129,7 +129,7 @@ func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectory if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -203,6 +203,22 @@ func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *Activ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CABundleSource) DeepCopyInto(out *CABundleSource) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleSource. +func (in *CABundleSource) DeepCopy() *CABundleSource { + if in == nil { + return nil + } + out := new(CABundleSource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { *out = *in @@ -214,7 +230,7 @@ func (in *GitHubAPIConfig) DeepCopyInto(out *GitHubAPIConfig) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } return } @@ -534,7 +550,7 @@ func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } out.Bind = in.Bind out.UserSearch = in.UserSearch @@ -740,7 +756,7 @@ func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec) if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLSSpec) - **out = **in + (*in).DeepCopyInto(*out) } in.AuthorizationConfig.DeepCopyInto(&out.AuthorizationConfig) in.Claims.DeepCopyInto(&out.Claims) @@ -800,6 +816,11 @@ func (in *Parameter) DeepCopy() *Parameter { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { *out = *in + if in.CertificateAuthorityDataSource != nil { + in, out := &in.CertificateAuthorityDataSource, &out.CertificateAuthorityDataSource + *out = new(CABundleSource) + **out = **in + } return }