From da7c981f14abb5586714201cc005e9b58a8a2c02 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 11 Sep 2020 17:56:05 -0700 Subject: [PATCH 01/32] Organize Pinniped CLI into subcommands; Add get-kubeconfig subcommand - Add flag parsing and help messages for root command, `exchange-credential` subcommand, and new `get-kubeconfig` subcommand - The new `get-kubeconfig` subcommand is a work in progress in this commit - Also add here.Doc() and here.Docf() to enable nice heredocs in our code --- cmd/pinniped/cmd/exchange_credential.go | 102 +++++++++++++ .../exchange_credential_test.go} | 20 +-- cmd/pinniped/cmd/get_kubeconfig.go | 136 ++++++++++++++++++ cmd/pinniped/cmd/get_kubeconfig_test.go | 76 ++++++++++ cmd/pinniped/cmd/root.go | 30 ++++ cmd/pinniped/main.go | 61 +------- go.mod | 2 + go.sum | 38 +---- internal/here/doc.go | 25 ++++ internal/here/doc_test.go | 104 ++++++++++++++ 10 files changed, 490 insertions(+), 104 deletions(-) create mode 100644 cmd/pinniped/cmd/exchange_credential.go rename cmd/pinniped/{main_test.go => cmd/exchange_credential_test.go} (86%) create mode 100644 cmd/pinniped/cmd/get_kubeconfig.go create mode 100644 cmd/pinniped/cmd/get_kubeconfig_test.go create mode 100644 cmd/pinniped/cmd/root.go create mode 100644 internal/here/doc.go create mode 100644 internal/here/doc_test.go diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go new file mode 100644 index 000000000..a9f3566f7 --- /dev/null +++ b/cmd/pinniped/cmd/exchange_credential.go @@ -0,0 +1,102 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package cmd + +import ( + "context" + "encoding/json" + "fmt" + "io" + "os" + "time" + + "github.com/spf13/cobra" + clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" + + "github.com/suzerain-io/pinniped/internal/client" + "github.com/suzerain-io/pinniped/internal/constable" + "github.com/suzerain-io/pinniped/internal/here" +) + +//nolint: gochecknoinits +func init() { + exchangeCredentialCmd := &cobra.Command{ + Run: runExchangeCredential, + Args: cobra.NoArgs, // do not accept positional arguments for this command + Use: "exchange-credential", + Short: "Exchange a credential for a cluster-specific access credential", + Long: here.Doc(` + Exchange a credential which proves your identity for a time-limited, + cluster-specific access credential. + + Designed to be conveniently used as an credential plugin for kubectl. + See the help message for 'pinniped get-kubeconfig' for more + information about setting up a kubeconfig file using Pinniped. + + Requires all of the following environment variables, which are + typically set in the kubeconfig: + - PINNIPED_TOKEN: the token to send to Pinniped for exchange + - PINNIPED_CA_BUNDLE: the CA bundle to trust when calling + Pinniped's HTTPS endpoint + - PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential + exchange API + + For more information about credential plugins in general, see + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins + `), + } + + rootCmd.AddCommand(exchangeCredentialCmd) +} + +type envGetter func(string) (string, bool) +type tokenExchanger func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) + +const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set") + +func runExchangeCredential(_ *cobra.Command, _ []string) { + err := exchangeCredential(os.LookupEnv, client.ExchangeToken, os.Stdout, 30*time.Second) + if err != nil { + _, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error()) + os.Exit(1) + } +} + +func exchangeCredential(envGetter envGetter, tokenExchanger tokenExchanger, outputWriter io.Writer, timeout time.Duration) error { + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + + token, varExists := envGetter("PINNIPED_TOKEN") + if !varExists { + return envVarNotSetError("PINNIPED_TOKEN") + } + + caBundle, varExists := envGetter("PINNIPED_CA_BUNDLE") + if !varExists { + return envVarNotSetError("PINNIPED_CA_BUNDLE") + } + + apiEndpoint, varExists := envGetter("PINNIPED_K8S_API_ENDPOINT") + if !varExists { + return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT") + } + + cred, err := tokenExchanger(ctx, token, caBundle, apiEndpoint) + if err != nil { + return fmt.Errorf("failed to get credential: %w", err) + } + + err = json.NewEncoder(outputWriter).Encode(cred) + if err != nil { + return fmt.Errorf("failed to marshal response to stdout: %w", err) + } + + return nil +} + +func envVarNotSetError(varName string) error { + return fmt.Errorf("%w: %s", ErrMissingEnvVar, varName) +} diff --git a/cmd/pinniped/main_test.go b/cmd/pinniped/cmd/exchange_credential_test.go similarity index 86% rename from cmd/pinniped/main_test.go rename to cmd/pinniped/cmd/exchange_credential_test.go index 261fa50b9..db8340203 100644 --- a/cmd/pinniped/main_test.go +++ b/cmd/pinniped/cmd/exchange_credential_test.go @@ -3,7 +3,7 @@ Copyright 2020 VMware, Inc. SPDX-License-Identifier: Apache-2.0 */ -package main +package cmd import ( "bytes" @@ -21,8 +21,8 @@ import ( "github.com/suzerain-io/pinniped/internal/testutil" ) -func TestRun(t *testing.T) { - spec.Run(t, "main.run", func(t *testing.T, when spec.G, it spec.S) { +func TestExchangeCredential(t *testing.T) { + spec.Run(t, "cmd.exchangeCredential", func(t *testing.T, when spec.G, it spec.S) { var r *require.Assertions var buffer *bytes.Buffer var tokenExchanger tokenExchanger @@ -49,19 +49,19 @@ func TestRun(t *testing.T) { when("env vars are missing", func() { it("returns an error when PINNIPED_TOKEN is missing", func() { delete(fakeEnv, "PINNIPED_TOKEN") - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_TOKEN") }) it("returns an error when PINNIPED_CA_BUNDLE is missing", func() { delete(fakeEnv, "PINNIPED_CA_BUNDLE") - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_CA_BUNDLE") }) it("returns an error when PINNIPED_K8S_API_ENDPOINT is missing", func() { delete(fakeEnv, "PINNIPED_K8S_API_ENDPOINT") - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.EqualError(err, "failed to get credential: environment variable not set: PINNIPED_K8S_API_ENDPOINT") }) }) @@ -74,7 +74,7 @@ func TestRun(t *testing.T) { }) it("returns an error", func() { - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.EqualError(err, "failed to get credential: some error") }) }) @@ -91,7 +91,7 @@ func TestRun(t *testing.T) { }) it("returns an error", func() { - err := run(envGetter, tokenExchanger, &testutil.ErrorWriter{ReturnError: fmt.Errorf("some IO error")}, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, &testutil.ErrorWriter{ReturnError: fmt.Errorf("some IO error")}, 30*time.Second) r.EqualError(err, "failed to marshal response to stdout: some IO error") }) }) @@ -113,7 +113,7 @@ func TestRun(t *testing.T) { }) it("returns an error", func() { - err := run(envGetter, tokenExchanger, buffer, 1*time.Millisecond) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 1*time.Millisecond) r.EqualError(err, "failed to get credential: context deadline exceeded") }) }) @@ -141,7 +141,7 @@ func TestRun(t *testing.T) { }) it("writes the execCredential to the given writer", func() { - err := run(envGetter, tokenExchanger, buffer, 30*time.Second) + err := exchangeCredential(envGetter, tokenExchanger, buffer, 30*time.Second) r.NoError(err) r.Equal(fakeEnv["PINNIPED_TOKEN"], actualToken) r.Equal(fakeEnv["PINNIPED_CA_BUNDLE"], actualCaBundle) diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go new file mode 100644 index 000000000..7bceadc18 --- /dev/null +++ b/cmd/pinniped/cmd/get_kubeconfig.go @@ -0,0 +1,136 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package cmd + +import ( + "fmt" + "io" + "os" + + "github.com/ghodss/yaml" + "github.com/spf13/cobra" + clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" + v1 "k8s.io/client-go/tools/clientcmd/api/v1" + + "github.com/suzerain-io/pinniped/internal/here" +) + +const ( + getKubeConfigCmdTokenFlagName = "token" +) + +//nolint: gochecknoinits +func init() { + getKubeConfigCmd := &cobra.Command{ + Run: runGetKubeConfig, + Args: cobra.NoArgs, // do not accept positional arguments for this command + Use: "get-kubeconfig", + Short: "Print a kubeconfig for authenticating into a cluster via Pinniped", + Long: here.Doc(` + Print a kubeconfig for authenticating into a cluster via Pinniped. + + Assumes that you have admin-like access to the cluster using your + current kubeconfig context, in order to access Pinniped's metadata. + + Prints a kubeconfig which is suitable to access the cluster using + Pinniped as the authentication mechanism. This kubeconfig output + can be saved to a file and used with future kubectl commands, e.g.: + pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig + kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods + `), + } + + rootCmd.AddCommand(getKubeConfigCmd) + + getKubeConfigCmd.Flags().StringP( + getKubeConfigCmdTokenFlagName, + "t", + "", + "The credential to include in the resulting kubeconfig output (Required)", + ) + err := getKubeConfigCmd.MarkFlagRequired(getKubeConfigCmdTokenFlagName) + if err != nil { + panic(err) + } +} + +func runGetKubeConfig(cmd *cobra.Command, _ []string) { + token := cmd.Flag(getKubeConfigCmdTokenFlagName).Value.String() + + err := getKubeConfig(os.Stdout, token) + + if err != nil { + _, _ = fmt.Fprintf(os.Stderr, "error: %s\n", err.Error()) + os.Exit(1) + } +} + +func getKubeConfig(outputWriter io.Writer, token string) error { + clusterName := "pinniped-cluster" + userName := "pinniped-user" + + fullPathToSelf, err := os.Executable() + if err != nil { + return fmt.Errorf("could not find path to self: %w", err) + } + + config := v1.Config{ + Kind: "Config", + APIVersion: v1.SchemeGroupVersion.Version, + Preferences: v1.Preferences{ + Colors: false, // TODO what does this setting do? + Extensions: nil, + }, + Clusters: []v1.NamedCluster{ + { + Name: clusterName, + Cluster: v1.Cluster{}, // TODO fill in server and cert authority and such + }, + }, + AuthInfos: []v1.NamedAuthInfo{ + { + Name: userName, + AuthInfo: v1.AuthInfo{ + Exec: &v1.ExecConfig{ + Command: fullPathToSelf, + Args: []string{"exchange-credential"}, + Env: []v1.ExecEnvVar{ + {Name: "PINNIPED_K8S_API_ENDPOINT", Value: ""}, // TODO fill in value + {Name: "PINNIPED_CA_BUNDLE", Value: ""}, // TODO fill in value + {Name: "PINNIPED_TOKEN", Value: token}, + }, + APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(), + InstallHint: "The Pinniped CLI is required to authenticate to the current cluster.\n" + + "For more information, please visit https://pinniped.dev", + }, + }, + }, + }, + Contexts: []v1.NamedContext{ + { + Name: clusterName, + Context: v1.Context{ + Cluster: clusterName, + AuthInfo: userName, + }, + }, + }, + CurrentContext: clusterName, + Extensions: nil, + } + + output, err := yaml.Marshal(&config) + if err != nil { + return fmt.Errorf("YAML serialization error: %w", err) + } + + _, err = fmt.Fprint(outputWriter, string(output)) + if err != nil { + return fmt.Errorf("output write error: %w", err) + } + + return nil +} diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go new file mode 100644 index 000000000..feccb96bd --- /dev/null +++ b/cmd/pinniped/cmd/get_kubeconfig_test.go @@ -0,0 +1,76 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package cmd + +import ( + "bytes" + "os" + "testing" + + "github.com/sclevine/spec" + "github.com/sclevine/spec/report" + "github.com/stretchr/testify/require" + + "github.com/suzerain-io/pinniped/internal/here" +) + +func TestGetKubeConfig(t *testing.T) { + spec.Run(t, "cmd.getKubeConfig", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + var buffer *bytes.Buffer + var fullPathToSelf string + + it.Before(func() { + r = require.New(t) + buffer = new(bytes.Buffer) + + var err error + fullPathToSelf, err = os.Executable() + r.NoError(err) + }) + + it("writes the kubeconfig to the given writer", func() { + err := getKubeConfig(buffer, "some-token") + r.NoError(err) + + expectedYAML := here.Docf(` + apiVersion: v1 + clusters: + - cluster: + server: "" + name: pinniped-cluster + contexts: + - context: + cluster: pinniped-cluster + user: pinniped-user + name: pinniped-cluster + current-context: pinniped-cluster + kind: Config + preferences: {} + users: + - name: pinniped-user + user: + exec: + apiVersion: client.authentication.k8s.io/v1beta1 + args: + - exchange-credential + command: %s + env: + - name: PINNIPED_K8S_API_ENDPOINT + value: "" + - name: PINNIPED_CA_BUNDLE + value: "" + - name: PINNIPED_TOKEN + value: some-token + installHint: |- + The Pinniped CLI is required to authenticate to the current cluster. + For more information, please visit https://pinniped.dev + `, fullPathToSelf) + + r.Equal(expectedYAML, buffer.String()) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) +} diff --git a/cmd/pinniped/cmd/root.go b/cmd/pinniped/cmd/root.go new file mode 100644 index 000000000..3ad052920 --- /dev/null +++ b/cmd/pinniped/cmd/root.go @@ -0,0 +1,30 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package cmd + +import ( + "fmt" + "os" + + "github.com/spf13/cobra" +) + +//nolint: gochecknoglobals +var rootCmd = &cobra.Command{ + Use: "pinniped", + Short: "pinniped", + Long: "pinniped is the client-side binary for use with Pinniped-enabled Kubernetes clusters.", + SilenceUsage: true, // do not print usage message when commands fail +} + +// Execute adds all child commands to the root command and sets flags appropriately. +// This is called by main.main(). It only needs to happen once to the rootCmd. +func Execute() { + if err := rootCmd.Execute(); err != nil { + fmt.Println(err) + os.Exit(1) + } +} diff --git a/cmd/pinniped/main.go b/cmd/pinniped/main.go index b232d4009..314019af1 100644 --- a/cmd/pinniped/main.go +++ b/cmd/pinniped/main.go @@ -5,65 +5,8 @@ SPDX-License-Identifier: Apache-2.0 package main -import ( - "context" - "encoding/json" - "fmt" - "io" - "os" - "time" - - clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" - - "github.com/suzerain-io/pinniped/internal/client" - "github.com/suzerain-io/pinniped/internal/constable" -) +import "github.com/suzerain-io/pinniped/cmd/pinniped/cmd" func main() { - err := run(os.LookupEnv, client.ExchangeToken, os.Stdout, 30*time.Second) - if err != nil { - _, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error()) - os.Exit(1) - } -} - -type envGetter func(string) (string, bool) -type tokenExchanger func(ctx context.Context, token, caBundle, apiEndpoint string) (*clientauthenticationv1beta1.ExecCredential, error) - -const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set") - -func run(envGetter envGetter, tokenExchanger tokenExchanger, outputWriter io.Writer, timeout time.Duration) error { - ctx, cancel := context.WithTimeout(context.Background(), timeout) - defer cancel() - - token, varExists := envGetter("PINNIPED_TOKEN") - if !varExists { - return envVarNotSetError("PINNIPED_TOKEN") - } - - caBundle, varExists := envGetter("PINNIPED_CA_BUNDLE") - if !varExists { - return envVarNotSetError("PINNIPED_CA_BUNDLE") - } - - apiEndpoint, varExists := envGetter("PINNIPED_K8S_API_ENDPOINT") - if !varExists { - return envVarNotSetError("PINNIPED_K8S_API_ENDPOINT") - } - - cred, err := tokenExchanger(ctx, token, caBundle, apiEndpoint) - if err != nil { - return fmt.Errorf("failed to get credential: %w", err) - } - - err = json.NewEncoder(outputWriter).Encode(cred) - if err != nil { - return fmt.Errorf("failed to marshal response to stdout: %w", err) - } - - return nil -} - -func envVarNotSetError(varName string) error { - return fmt.Errorf("%w: %s", ErrMissingEnvVar, varName) + cmd.Execute() } diff --git a/go.mod b/go.mod index 246020d64..65cdc141c 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,9 @@ module github.com/suzerain-io/pinniped go 1.14 require ( + github.com/MakeNowJust/heredoc/v2 v2.0.1 github.com/davecgh/go-spew v1.1.1 + github.com/ghodss/yaml v1.0.0 github.com/go-logr/logr v0.2.1 github.com/golang/mock v1.4.4 github.com/golangci/golangci-lint v1.31.0 diff --git a/go.sum b/go.sum index fb22470c6..3fb7c565a 100644 --- a/go.sum +++ b/go.sum @@ -36,6 +36,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/Djarvur/go-err113 v0.0.0-20200511133814-5174e21577d5 h1:XTrzB+F8+SpRmbhAH8HLxhiiG6nYNwaBZjrFps1oWEk= github.com/Djarvur/go-err113 v0.0.0-20200511133814-5174e21577d5/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= +github.com/MakeNowJust/heredoc/v2 v2.0.1 h1:rlCHh70XXXv7toz95ajQWOWQnN4WNLt0TdpZYIR/J6A= +github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 h1:lsxEuwrXEAokXB9qhlbKWPpo3KMLZQ5WB5WLQRW1uq0= @@ -98,8 +100,6 @@ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfc github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/daixiang0/gci v0.0.0-20200727065011-66f1df783cb2 h1:3Lhhps85OdA8ezsEKu+IA1hE+DBTjt/fjd7xNCrHbVA= -github.com/daixiang0/gci v0.0.0-20200727065011-66f1df783cb2/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4= github.com/daixiang0/gci v0.2.4 h1:BUCKk5nlK2m+kRIsoj+wb/5hazHvHeZieBKWd9Afa8Q= github.com/daixiang0/gci v0.2.4/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -132,16 +132,14 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-critic/go-critic v0.5.0 h1:Ic2p5UCl5fX/2WX2w8nroPpPhxRNsNTMlJzsu/uqwnM= -github.com/go-critic/go-critic v0.5.0/go.mod h1:4jeRh3ZAVnRYhuWdOEvwzVqLUpxMSoAT0xZ74JsTPlo= github.com/go-critic/go-critic v0.5.2 h1:3RJdgf6u4NZUumoP8nzbqiiNT8e1tC2Oc7jlgqre/IA= github.com/go-critic/go-critic v0.5.2/go.mod h1:cc0+HvdE3lFpqLecgqMaJcvWWH77sLdBp+wLGPM1Yyo= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-lintpack/lintpack v0.5.2/go.mod h1:NwZuYi2nUHho8XEIZ6SIxihrnPoqBTDqfpXvXAN0sXM= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= @@ -175,17 +173,13 @@ github.com/go-toolsmith/astcast v1.0.0 h1:JojxlmI6STnFVG9yOImLeGREv8W2ocNUM+iOhR github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= github.com/go-toolsmith/astcopy v1.0.0 h1:OMgl1b1MEpjFQ1m5ztEO06rz5CUd3oBv9RF7+DyvdG8= github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= -github.com/go-toolsmith/astequal v0.0.0-20180903214952-dcb477bfacd6/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= github.com/go-toolsmith/astequal v1.0.0 h1:4zxD8j3JRFNyLN46lodQuqz3xdKSrur7U/sr0SDS/gQ= github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= -github.com/go-toolsmith/astfmt v0.0.0-20180903215011-8f8ee99c3086/go.mod h1:mP93XdblcopXwlyN4X4uodxXQhldPGZbcEJIimQHrkg= github.com/go-toolsmith/astfmt v1.0.0 h1:A0vDDXt+vsvLEdbMFJAUBI/uTbRw1ffOPnxsILnFL6k= github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw= github.com/go-toolsmith/astinfo v0.0.0-20180906194353-9809ff7efb21/go.mod h1:dDStQCHtmZpYOmjRP/8gHHnCCch3Zz3oEgCdZVdtweU= -github.com/go-toolsmith/astp v0.0.0-20180903215135-0af7e3c24f30/go.mod h1:SV2ur98SGypH1UjcPpCatrV5hPazG6+IfNHbkDXBRrk= github.com/go-toolsmith/astp v1.0.0 h1:alXE75TXgcmupDsMK1fRAy0YUzLzqPVvBKoyWV+KPXg= github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI= -github.com/go-toolsmith/pkgload v0.0.0-20181119091011-e9e65178eee8/go.mod h1:WoMrjiy4zvdS+Bg6z9jZH82QXwkcgCBX6nOfnmdaHks= github.com/go-toolsmith/pkgload v1.0.0 h1:4DFWWMXVfbcN5So1sBNW9+yeiMqLFGl1wFLTL5R0Tgg= github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Ilcwuh3clNrQJc= github.com/go-toolsmith/strparse v1.0.0 h1:Vcw78DnpCAKlM20kSbAyO4mPfJn/lyYA4BJUDxe2Jb4= @@ -197,8 +191,6 @@ github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/gofrs/flock v0.7.1 h1:DP+LD/t0njgoPBvT5MJLeliUIVQR03hiKR6vezdwHlc= -github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/flock v0.8.0 h1:MSdYClljsF3PbENUUEx85nkWfJSGfzYI9yEBZOJz6CY= github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -244,8 +236,6 @@ github.com/golangci/gocyclo v0.0.0-20180528144436-0a533e8fa43d h1:pXTK/gkVNs7Zyy github.com/golangci/gocyclo v0.0.0-20180528144436-0a533e8fa43d/go.mod h1:ozx7R9SIwqmqf5pRP90DhR2Oay2UIjGuKheCBCNwAYU= github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a h1:iR3fYXUjHCR97qWS8ch1y9zPNsgXThGwjKPrYfqMPks= github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU= -github.com/golangci/golangci-lint v1.30.0 h1:UhdK5WbO0GBd7W+k2lOD7BEJH4Wsa7zKfw8m3/aEJGQ= -github.com/golangci/golangci-lint v1.30.0/go.mod h1:5t0i3wHlqQc9deBBvZsP+a/4xz7cfjV+zhp5U0Mzp14= github.com/golangci/golangci-lint v1.31.0 h1:+m9I3LEmxXLpymkXRPkDQGzOVBmBYm16UtDiXqZxWek= github.com/golangci/golangci-lint v1.31.0/go.mod h1:aMQuNCA+NDU5+4jLL5pEuFHoue0IznKE2+/GsFvvs8A= github.com/golangci/ineffassign v0.0.0-20190609212857-42439a7714cc h1:gLLhTLMk2/SutryVJ6D4VZCU3CUqr8YloG7FPIBWFpI= @@ -358,8 +348,6 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.10.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= -github.com/klauspost/compress v1.10.5/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.10.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -436,8 +424,6 @@ github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d h1:AREM5mwr4u1 github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nishanths/exhaustive v0.0.0-20200708172631-8866003e3856 h1:W3KBC2LFyfgd+wNudlfgCCsTo4q97MeNWrfz8/wSdSc= -github.com/nishanths/exhaustive v0.0.0-20200708172631-8866003e3856/go.mod h1:wBEpHwM2OdmeNpdCvRPUlkEbBuaFmcK4Wv8Q7FuGW3c= github.com/nishanths/exhaustive v0.0.0-20200811152831-6cf413ae40e0 h1:eMV1t2NQRc3r1k3guWiv/zEeqZZP6kPvpUfy6byfL1g= github.com/nishanths/exhaustive v0.0.0-20200811152831-6cf413ae40e0/go.mod h1:wBEpHwM2OdmeNpdCvRPUlkEbBuaFmcK4Wv8Q7FuGW3c= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= @@ -492,8 +478,6 @@ github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFB github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= -github.com/quasilyte/go-ruleguard v0.1.2-0.20200318202121-b00d7a75d3d8 h1:DvnesvLtRPQOvaUbfXfh0tpMHg29by0H7F2U+QIkSu8= -github.com/quasilyte/go-ruleguard v0.1.2-0.20200318202121-b00d7a75d3d8/go.mod h1:CGFX09Ci3pq9QZdj86B+VGIdNj4VyCo2iPOGS9esB/k= github.com/quasilyte/go-ruleguard v0.2.0 h1:UOVMyH2EKkxIfzrULvA9n/tO+HtEhqD9mrLSWMr5FwU= github.com/quasilyte/go-ruleguard v0.2.0/go.mod h1:2RT/tf0Ce0UDj5y243iWKosQogJd8+1G3Rs2fxmlYnw= github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95 h1:L8QM9bvf68pVdQ3bCFZMDmnt9yqcMBro1pC7F+IPYMY= @@ -534,8 +518,6 @@ github.com/soheilhy/cmux v0.1.4 h1:0HKaf1o97UwFjHH9o5XsHUOF+tqmdA7KEzXLpiyaw0E= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/sonatard/noctx v0.0.1 h1:VC1Qhl6Oxx9vvWo3UDgrGXYCeKCe3Wbw7qAWL6FrmTY= github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4lqBjiZI= -github.com/sourcegraph/go-diff v0.5.3 h1:lhIKJ2nXLZZ+AfbHpYxTn0pXpNTTui0DX7DO3xeb1Zs= -github.com/sourcegraph/go-diff v0.5.3/go.mod h1:v9JDtjCE4HHHCZGId75rg8gkKKa98RVjBcBGsVmMmak= github.com/sourcegraph/go-diff v0.6.0 h1:WbN9e/jD8ujU+o0vd9IFN5AEwtfB0rn/zM/AANaClqQ= github.com/sourcegraph/go-diff v0.6.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -555,12 +537,8 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= -github.com/spf13/viper v1.7.0 h1:xVKxvI7ouOI5I+U9s2eeiUfMaWBVoXA3AWskkrqK0VM= -github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.7.1 h1:pM5oEahlgWv/WnHXpgbKz7iLIxRf65tye2Ci+XFK5sk= github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/ssgreg/nlreturn/v2 v2.0.1 h1:+lm6xFjVuNw/9t/Fh5sIwfNWefiD5bddzc6vwJ1TvRI= -github.com/ssgreg/nlreturn/v2 v2.0.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/ssgreg/nlreturn/v2 v2.1.0 h1:6/s4Rc49L6Uo6RLjhWZGBpWWjfzk2yrf1nIW8m4wgVA= github.com/ssgreg/nlreturn/v2 v2.1.0/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -587,8 +565,6 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa h1:RC4maTWLKKwb7p1cnoygsbKIgNlJqSYBeAFON3Ar8As= github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/ultraware/funlen v0.0.2 h1:Av96YVBwwNSe4MLR7iI/BIa3VyI7/djnto/pK3Uxbdo= -github.com/ultraware/funlen v0.0.2/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= github.com/ultraware/funlen v0.0.3 h1:5ylVWm8wsNwH5aWo9438pwvsK0QiqVuUrt9bn7S/iLA= github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= github.com/ultraware/whitespace v0.0.4 h1:If7Va4cM03mpgrNH9k49/VOicWpGoG70XPBFFODYDsg= @@ -597,9 +573,7 @@ github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijb github.com/uudashr/gocognit v1.0.1 h1:MoG2fZ0b/Eo7NXoIwCVFLG5JED3qgQz5/NEE+rOsjPs= github.com/uudashr/gocognit v1.0.1/go.mod h1:j44Ayx2KW4+oB6SWMv8KsmHzZrOInQav7D3cQMJ5JUM= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= -github.com/valyala/fasthttp v1.12.0/go.mod h1:229t1eWu9UXTPmoUkbpN/fctKPBY4IJoFXQnxHGXy6E= github.com/valyala/fasthttp v1.15.1/go.mod h1:YOKImeEosDdBPnxc0gy7INqi3m1zK6A+xl6TwOBhHCA= -github.com/valyala/quicktemplate v1.5.1/go.mod h1:v7yYWpBEiutDyNfVaph6oC/yKwejzVyTX/2cwwHxyok= github.com/valyala/quicktemplate v1.6.2/go.mod h1:mtEJpQtUiBV0SHhMX6RtiJtqxncgrfmjcUy5T68X8TM= github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= @@ -749,7 +723,6 @@ golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181117154741-2ddaf7f79a09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190221204921-83362c3779f5/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -762,7 +735,6 @@ golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190521203540-521d6ed310dd/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= @@ -881,8 +853,6 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k= honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.19.0 h1:XyrFIJqTYZJ2DU7FBE/bSPz7b1HvbVBuBf07oeo6eTc= @@ -925,5 +895,3 @@ sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4 h1:JPJh2pk3+X4lXAkZIk2RuE/7/FoK9maXw+TNPJhVS/c= -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= diff --git a/internal/here/doc.go b/internal/here/doc.go new file mode 100644 index 000000000..5c486c919 --- /dev/null +++ b/internal/here/doc.go @@ -0,0 +1,25 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package here + +import ( + "strings" + + "github.com/MakeNowJust/heredoc/v2" +) + +const ( + tab = "\t" + fourSpaces = " " +) + +func Doc(s string) string { + return strings.ReplaceAll(heredoc.Doc(s), tab, fourSpaces) +} + +func Docf(raw string, args ...interface{}) string { + return strings.ReplaceAll(heredoc.Docf(raw, args...), tab, fourSpaces) +} diff --git a/internal/here/doc_test.go b/internal/here/doc_test.go new file mode 100644 index 000000000..611049d83 --- /dev/null +++ b/internal/here/doc_test.go @@ -0,0 +1,104 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package here + +import ( + "testing" + + "github.com/sclevine/spec" + "github.com/sclevine/spec/report" + "github.com/stretchr/testify/require" +) + +func TestDoc(t *testing.T) { + spec.Run(t, "here.Doc", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + + it.Before(func() { + r = require.New(t) + }) + + it("returns single-line strings unchanged", func() { + r.Equal("the quick brown fox", Doc("the quick brown fox")) + r.Equal(" the quick brown fox", Doc(" the quick brown fox")) + }) + + it("returns multi-line strings with indentation removed", func() { + r.Equal( + "the quick brown fox\njumped over the\nlazy dog", + Doc(`the quick brown fox + jumped over the + lazy dog`), + ) + }) + + it("ignores the first empty line and the whitespace in the last line", func() { + r.Equal( + "the quick brown fox\njumped over the\nlazy dog\n", + Doc(` + the quick brown fox + jumped over the + lazy dog + `), + ) + }) + + it("turns all tabs into 4 spaces", func() { + r.Equal( + "the quick brown fox\n jumped over the\n lazy dog\n", + Doc(` + the quick brown fox + jumped over the + lazy dog + `), + ) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) + + spec.Run(t, "here.Docf", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + + it.Before(func() { + r = require.New(t) + }) + + it("returns single-line strings unchanged", func() { + r.Equal("the quick brown fox", Docf("the quick brown %s", "fox")) + r.Equal(" the quick brown fox", Docf(" the %s brown %s", "quick", "fox")) + }) + + it("returns multi-line strings with indentation removed", func() { + r.Equal( + "the quick brown fox\njumped over the\nlazy dog", + Docf(`the quick brown %s + jumped over the + lazy %s`, "fox", "dog"), + ) + }) + + it("ignores the first empty line and the whitespace in the last line", func() { + r.Equal( + "the quick brown fox\njumped over the\nlazy dog\n", + Docf(` + the quick brown %s + jumped over the + lazy %s + `, "fox", "dog"), + ) + }) + + it("turns all tabs into 4 spaces", func() { + r.Equal( + "the quick brown fox\n jumped over the\n lazy dog\n", + Docf(` + the quick brown %s + jumped over the + lazy %s + `, "fox", "dog"), + ) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) +} From 2cdc3defb7394e62b1d205c075e0d6e9919c90df Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Fri, 11 Sep 2020 18:15:24 -0700 Subject: [PATCH 02/32] Use here.Doc() in a few more places that were begging for it --- .../controller/issuerconfig/publisher_test.go | 19 +++++---- internal/server/server.go | 10 +++-- test/integration/client_test.go | 42 ++++++++++--------- 3 files changed, 38 insertions(+), 33 deletions(-) diff --git a/internal/controller/issuerconfig/publisher_test.go b/internal/controller/issuerconfig/publisher_test.go index f45d83900..2e7b6987b 100644 --- a/internal/controller/issuerconfig/publisher_test.go +++ b/internal/controller/issuerconfig/publisher_test.go @@ -8,7 +8,6 @@ package issuerconfig import ( "context" "errors" - "strings" "testing" "time" @@ -27,6 +26,7 @@ import ( pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/here" "github.com/suzerain-io/pinniped/internal/testutil" ) @@ -256,14 +256,15 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{Name: "cluster-info", Namespace: "kube-public"}, // Note that go fmt puts tabs in our file, which we must remove from our configmap yaml below. Data: map[string]string{ - "kubeconfig": strings.ReplaceAll(` - kind: Config - apiVersion: v1 - clusters: - - name: "" - cluster: - certificate-authority-data: "`+caData+`" - server: "`+kubeServerURL+`"`, "\t", " "), + "kubeconfig": here.Docf(` + kind: Config + apiVersion: v1 + clusters: + - name: "" + cluster: + certificate-authority-data: "%s" + server: "%s"`, + caData, kubeServerURL), "uninteresting-key": "uninteresting-value", }, } diff --git a/internal/server/server.go b/internal/server/server.go index 1dcdb8083..4c146ca8f 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -29,6 +29,7 @@ import ( "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controllermanager" "github.com/suzerain-io/pinniped/internal/downward" + "github.com/suzerain-io/pinniped/internal/here" "github.com/suzerain-io/pinniped/internal/provider" "github.com/suzerain-io/pinniped/internal/registry/credentialrequest" "github.com/suzerain-io/pinniped/pkg/config" @@ -62,10 +63,11 @@ func (a *App) Run() error { // Create the server command and save it into the App. func (a *App) addServerCommand(ctx context.Context, args []string, stdout, stderr io.Writer) { cmd := &cobra.Command{ - Use: `pinniped-server`, - Long: "pinniped-server provides a generic API for mapping an external\n" + - "credential from somewhere to an internal credential to be used for\n" + - "authenticating to the Kubernetes API.", + Use: "pinniped-server", + Long: here.Doc(` + pinniped-server provides a generic API for mapping an external + credential from somewhere to an internal credential to be used for + authenticating to the Kubernetes API.`), RunE: func(cmd *cobra.Command, args []string) error { return a.runServer(ctx) }, Args: cobra.NoArgs, } diff --git a/test/integration/client_test.go b/test/integration/client_test.go index ad480d1a6..138db6d74 100644 --- a/test/integration/client_test.go +++ b/test/integration/client_test.go @@ -14,6 +14,7 @@ import ( "github.com/stretchr/testify/require" "github.com/suzerain-io/pinniped/internal/client" + "github.com/suzerain-io/pinniped/internal/here" "github.com/suzerain-io/pinniped/test/library" ) @@ -28,27 +29,28 @@ Test certificate and private key that should get an authentication error. Genera [1]: https://github.com/cloudflare/cfssl */ var ( - testCert = strings.TrimSpace(` ------BEGIN CERTIFICATE----- -MIICBDCCAaugAwIBAgIUeidKWlZQuoKfBGydObI1hMwzt9cwCgYIKoZIzj0EAwIw -SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp -c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDA3MjgxOTI3MDBaFw0yMTA3 -MjgxOTI3MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN -U2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB -BggqhkjOPQMBBwNCAARk7XBC+OjYmrXOhm7RaJiHW4Q5VsE+iMV90Bzq7ansqAhb -04RI63Y7YPwu1aExutjLvnkWCrgf2ze8KB+8djUBo3MwcTAOBgNVHQ8BAf8EBAMC -BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw -HQYDVR0OBBYEFG0oZxV+LHUKfE4gQ67xfHJuGQ/4MBMGA1UdEQQMMAqCCHRlc3R1 -c2VyMAoGCCqGSM49BAMCA0cAMEQCIEwPZhPpYhYHndfTEsWOxnxzJkmhAcYIMCeJ -d9kyq/fPAiBNCJw1MCLT8LjNlyUZCfwI2zuI3e0w6vuau89oj2zvVA== ------END CERTIFICATE----- + testCert = here.Doc(` + -----BEGIN CERTIFICATE----- + MIICBDCCAaugAwIBAgIUeidKWlZQuoKfBGydObI1hMwzt9cwCgYIKoZIzj0EAwIw + SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp + c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDA3MjgxOTI3MDBaFw0yMTA3 + MjgxOTI3MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN + U2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB + BggqhkjOPQMBBwNCAARk7XBC+OjYmrXOhm7RaJiHW4Q5VsE+iMV90Bzq7ansqAhb + 04RI63Y7YPwu1aExutjLvnkWCrgf2ze8KB+8djUBo3MwcTAOBgNVHQ8BAf8EBAMC + BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw + HQYDVR0OBBYEFG0oZxV+LHUKfE4gQ67xfHJuGQ/4MBMGA1UdEQQMMAqCCHRlc3R1 + c2VyMAoGCCqGSM49BAMCA0cAMEQCIEwPZhPpYhYHndfTEsWOxnxzJkmhAcYIMCeJ + d9kyq/fPAiBNCJw1MCLT8LjNlyUZCfwI2zuI3e0w6vuau89oj2zvVA== + -----END CERTIFICATE----- `) - testKey = maskKey(strings.TrimSpace(` ------BEGIN EC TESTING KEY----- -MHcCAQEEIAqkBGGKTH5GzLx8XZLAHEFW2E8jT+jpy0p6w6MMR7DkoAoGCCqGSM49 -AwEHoUQDQgAEZO1wQvjo2Jq1zoZu0WiYh1uEOVbBPojFfdAc6u2p7KgIW9OESOt2 -O2D8LtWhMbrYy755Fgq4H9s3vCgfvHY1AQ== ------END EC TESTING KEY----- + + testKey = maskKey(here.Doc(` + -----BEGIN EC TESTING KEY----- + MHcCAQEEIAqkBGGKTH5GzLx8XZLAHEFW2E8jT+jpy0p6w6MMR7DkoAoGCCqGSM49 + AwEHoUQDQgAEZO1wQvjo2Jq1zoZu0WiYh1uEOVbBPojFfdAc6u2p7KgIW9OESOt2 + O2D8LtWhMbrYy755Fgq4H9s3vCgfvHY1AQ== + -----END EC TESTING KEY----- `)) ) From 872330bee9a816f0f893224db10e68a9a463ce72 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Sun, 13 Sep 2020 10:22:27 -0700 Subject: [PATCH 03/32] Require newer version of kubectl in prepare-for-integration-tests.sh - Using the dry run option requires version 1.18+ --- hack/prepare-for-integration-tests.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index d68fb6ebc..b5d60ac01 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -88,6 +88,12 @@ check_dependency kapp "Please install kapp. e.g. 'brew tap k14s/tap && brew inst check_dependency kubectl "Please install kubectl. e.g. 'brew install kubectl' for MacOS" check_dependency htpasswd "Please install htpasswd. Should be pre-installed on MacOS. Usually found in 'apache2-utils' package for linux." +# Require kubectl >= 1.18.x +if [ "$(kubectl version --client=true --short | cut -d '.' -f 2)" -lt 18 ]; then + echo "kubectl >= 1.18.x is required, you have $(kubectl version --client=true --short | cut -d ':' -f2)" + exit 1 +fi + # # Setup kind and build the app # From 7515af639a3c3daf47dbcd73a6632edcb21bdea4 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Mon, 14 Sep 2020 10:42:29 -0400 Subject: [PATCH 04/32] ADOPTERS.md: add initial draft Signed-off-by: Andrew Keesler --- ADOPTERS.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 ADOPTERS.md diff --git a/ADOPTERS.md b/ADOPTERS.md new file mode 100644 index 000000000..560861370 --- /dev/null +++ b/ADOPTERS.md @@ -0,0 +1,9 @@ +# Pinniped Adopters + +These organizations are using Pinniped. + +* [VMware Tanzu](https://tanzu.vmware.com/) ([Tanzu Mission Control](https://tanzu.vmware.com/mission-control)) + +If you are using Pinniped and are not on this list, you can open a [pull +request](https://github.com/suzerain-io/pinniped/issues/new?template=feature-proposal.md) +to add yourself. From bbef017989f6dab720b85f033479ea044501e7d6 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 12:57:07 -0500 Subject: [PATCH 05/32] Add a testlogger util package for testing go-logr. Signed-off-by: Matt Moyer --- go.mod | 2 + go.sum | 5 ++ internal/testutil/testlogger/testlogger.go | 61 ++++++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 internal/testutil/testlogger/testlogger.go diff --git a/go.mod b/go.mod index 246020d64..5d8e7db8f 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,8 @@ go 1.14 require ( github.com/davecgh/go-spew v1.1.1 github.com/go-logr/logr v0.2.1 + github.com/go-logr/stdr v0.2.0 + github.com/go-logr/zapr v0.2.0 // indirect github.com/golang/mock v1.4.4 github.com/golangci/golangci-lint v1.31.0 github.com/google/go-cmp v0.5.2 diff --git a/go.sum b/go.sum index fb22470c6..570aaaa05 100644 --- a/go.sum +++ b/go.sum @@ -149,6 +149,10 @@ github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v0.2.1 h1:fV3MLmabKIZ383XifUjFSwcoGee0v9qgPp8wy5svibE= github.com/go-logr/logr v0.2.1/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/stdr v0.2.0 h1:EuTFw3BCZ6H/+1VNFlOLVK/sPKwmGMLx8/FTOFWuXpU= +github.com/go-logr/stdr v0.2.0/go.mod h1:NO1vneyJDqKVgJYnxhwXWWmQPOvNM391IG3H8ql3jiA= +github.com/go-logr/zapr v0.2.0 h1:v6Ji8yBW77pva6NkJKQdHLAJKrIJKRHz0RXwPqCHSR4= +github.com/go-logr/zapr v0.2.0/go.mod h1:qhKdvif7YF5GI9NWEpyxTSSBdGmzkNguibrdCNVPunU= github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8= github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= @@ -622,6 +626,7 @@ go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.8.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= diff --git a/internal/testutil/testlogger/testlogger.go b/internal/testutil/testlogger/testlogger.go new file mode 100644 index 000000000..04ce56609 --- /dev/null +++ b/internal/testutil/testlogger/testlogger.go @@ -0,0 +1,61 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package testlogger implements a logr.Logger suitable for writing test assertions. +package testlogger + +import ( + "bytes" + "log" + "strings" + "sync" + "testing" + + "github.com/go-logr/logr" + "github.com/go-logr/stdr" +) + +// Logger implements logr.Logger in a way that captures logs for test assertions. +type Logger struct { + logr.Logger + t *testing.T + buffer syncBuffer +} + +// New returns a new test Logger. +func New(t *testing.T) *Logger { + res := Logger{t: t} + res.Logger = stdr.New(log.New(&res.buffer, "", 0)) + return &res +} + +// Lines returns the lines written to the test logger. +func (l *Logger) Lines() []string { + l.t.Helper() + l.buffer.mutex.Lock() + defer l.buffer.mutex.Unlock() + + // Trim leading/trailing whitespace and omit empty lines. + var result []string + for _, line := range strings.Split(l.buffer.buffer.String(), "\n") { + line = strings.TrimSpace(line) + if line != "" { + result = append(result, line) + } + } + return result +} + +// syncBuffer synchronizes access to a bytes.Buffer. +type syncBuffer struct { + mutex sync.Mutex + buffer bytes.Buffer +} + +func (s *syncBuffer) Write(p []byte) (n int, err error) { + s.mutex.Lock() + defer s.mutex.Unlock() + return s.buffer.Write(p) +} From 7d8c28a9dcf3499880f1b09f26c7c091a148f0c9 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 10:34:41 -0500 Subject: [PATCH 06/32] Extract testutil.TLSTestServer so it can be reused elsewhere. Signed-off-by: Matt Moyer --- internal/client/client_test.go | 21 ++++----------------- internal/testutil/tlsserver.go | 27 +++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 17 deletions(-) create mode 100644 internal/testutil/tlsserver.go diff --git a/internal/client/client_test.go b/internal/client/client_test.go index 30b1b795e..b932d1f79 100644 --- a/internal/client/client_test.go +++ b/internal/client/client_test.go @@ -8,10 +8,8 @@ package client import ( "context" "encoding/json" - "encoding/pem" "io/ioutil" "net/http" - "net/http/httptest" "testing" "time" @@ -20,20 +18,9 @@ import ( clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1" + "github.com/suzerain-io/pinniped/internal/testutil" ) -func startTestServer(t *testing.T, handler http.HandlerFunc) (string, string) { - t.Helper() - server := httptest.NewTLSServer(handler) - t.Cleanup(server.Close) - - caBundle := string(pem.EncodeToMemory(&pem.Block{ - Type: "CERTIFICATE", - Bytes: server.TLS.Certificates[0].Certificate[0], - })) - return caBundle, server.URL -} - func TestExchangeToken(t *testing.T) { t.Parallel() ctx := context.Background() @@ -48,7 +35,7 @@ func TestExchangeToken(t *testing.T) { t.Run("server error", func(t *testing.T) { t.Parallel() // Start a test server that returns only 500 errors. - caBundle, endpoint := startTestServer(t, func(w http.ResponseWriter, r *http.Request) { + caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusInternalServerError) _, _ = w.Write([]byte("some server error")) }) @@ -62,7 +49,7 @@ func TestExchangeToken(t *testing.T) { t.Parallel() // Start a test server that returns success but with an error message errorMessage := "some login failure" - caBundle, endpoint := startTestServer(t, func(w http.ResponseWriter, r *http.Request) { + caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { w.Header().Set("content-type", "application/json") _ = json.NewEncoder(w).Encode(&v1alpha1.CredentialRequest{ TypeMeta: metav1.TypeMeta{APIVersion: "pinniped.dev/v1alpha1", Kind: "CredentialRequest"}, @@ -80,7 +67,7 @@ func TestExchangeToken(t *testing.T) { expires := metav1.NewTime(time.Now().Truncate(time.Second)) // Start a test server that returns successfully and asserts various properties of the request. - caBundle, endpoint := startTestServer(t, func(w http.ResponseWriter, r *http.Request) { + caBundle, endpoint := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { require.Equal(t, http.MethodPost, r.Method) require.Equal(t, "/apis/pinniped.dev/v1alpha1/credentialrequests", r.URL.Path) require.Equal(t, "application/json", r.Header.Get("content-type")) diff --git a/internal/testutil/tlsserver.go b/internal/testutil/tlsserver.go new file mode 100644 index 000000000..0da0be946 --- /dev/null +++ b/internal/testutil/tlsserver.go @@ -0,0 +1,27 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package testutil + +import ( + "encoding/pem" + "net/http" + "net/http/httptest" + "testing" +) + +// TLSTestServer starts a test server listening on a local port using a test CA. It returns the PEM CA bundle and the +// URL of the listening server. The lifetime of the server is bound to the provided *testing.T. +func TLSTestServer(t *testing.T, handler http.HandlerFunc) (caBundlePEM string, url string) { + t.Helper() + server := httptest.NewTLSServer(handler) + t.Cleanup(server.Close) + + caBundle := string(pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", + Bytes: server.TLS.Certificates[0].Certificate[0], + })) + return caBundle, server.URL +} From 92fabf43b330626ebe561a6f77cc583e0e3bf0ca Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 9 Sep 2020 14:55:59 -0500 Subject: [PATCH 07/32] Add new controller.SimpleFilter and controller.NoOpFilter utilities. Signed-off-by: Matt Moyer --- internal/controller/utils.go | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/internal/controller/utils.go b/internal/controller/utils.go index 8f0866cbf..e84591cc1 100644 --- a/internal/controller/utils.go +++ b/internal/controller/utils.go @@ -11,16 +11,23 @@ import ( "github.com/suzerain-io/pinniped/internal/controllerlib" ) -func NameAndNamespaceExactMatchFilterFactory(name, namespace string) controllerlib.FilterFuncs { - objMatchesFunc := func(obj metav1.Object) bool { +func NameAndNamespaceExactMatchFilterFactory(name, namespace string) controllerlib.Filter { + return SimpleFilter(func(obj metav1.Object) bool { return obj.GetName() == name && obj.GetNamespace() == namespace - } + }) +} + +// NoOpFilter returns a controllerlib.Filter that allows all objects. +func NoOpFilter() controllerlib.Filter { + return SimpleFilter(func(object metav1.Object) bool { return true }) +} + +// SimpleFilter takes a single boolean match function on a metav1.Object and wraps it into a proper controllerlib.Filter. +func SimpleFilter(match func(metav1.Object) bool) controllerlib.Filter { return controllerlib.FilterFuncs{ - AddFunc: objMatchesFunc, - UpdateFunc: func(oldObj, newObj metav1.Object) bool { - return objMatchesFunc(oldObj) || objMatchesFunc(newObj) - }, - DeleteFunc: objMatchesFunc, + AddFunc: match, + UpdateFunc: func(oldObj, newObj metav1.Object) bool { return match(oldObj) || match(newObj) }, + DeleteFunc: match, } } From 4379d2772c0b09c1eddbf9c5324f8431ea81f3fc Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 14 Sep 2020 19:07:18 -0700 Subject: [PATCH 08/32] CLI `get-kubeconfig` command reads kubeconfig and CredentialIssuerConfig --- cmd/pinniped/cmd/get_kubeconfig.go | 274 ++++++++--- cmd/pinniped/cmd/get_kubeconfig_test.go | 430 ++++++++++++++++-- cmd/pinniped/cmd/testdata/kubeconfig.yaml | 31 ++ ...eate_or_update_credential_issuer_config.go | 4 +- internal/controller/issuerconfig/publisher.go | 10 +- 5 files changed, 652 insertions(+), 97 deletions(-) create mode 100644 cmd/pinniped/cmd/testdata/kubeconfig.yaml diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go index 7bceadc18..a92a4f969 100644 --- a/cmd/pinniped/cmd/get_kubeconfig.go +++ b/cmd/pinniped/cmd/get_kubeconfig.go @@ -6,20 +6,35 @@ SPDX-License-Identifier: Apache-2.0 package cmd import ( + "bytes" + "context" + "encoding/base64" "fmt" "io" "os" + "time" "github.com/ghodss/yaml" "github.com/spf13/cobra" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" + "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" v1 "k8s.io/client-go/tools/clientcmd/api/v1" + "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" + "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/here" ) const ( - getKubeConfigCmdTokenFlagName = "token" + getKubeConfigCmdTokenFlagName = "token" + getKubeConfigCmdKubeconfigFlagName = "kubeconfig" + getKubeConfigCmdKubeconfigContextFlagName = "kubeconfig-context" + getKubeConfigCmdPinnipedNamespaceFlagName = "pinniped-namespace" ) //nolint: gochecknoinits @@ -31,10 +46,15 @@ func init() { Short: "Print a kubeconfig for authenticating into a cluster via Pinniped", Long: here.Doc(` Print a kubeconfig for authenticating into a cluster via Pinniped. - - Assumes that you have admin-like access to the cluster using your - current kubeconfig context, in order to access Pinniped's metadata. - + + Requires admin-like access to the cluster using the current + kubeconfig context in order to access Pinniped's metadata. + The current kubeconfig is found similar to how kubectl finds it: + using the value of the --kubeconfig option, or if that is not + specified then from the value of the KUBECONFIG environment + variable, or if that is not specified then it defaults to + .kube/config in your home directory. + Prints a kubeconfig which is suitable to access the cluster using Pinniped as the authentication mechanism. This kubeconfig output can be saved to a file and used with future kubectl commands, e.g.: @@ -47,20 +67,54 @@ func init() { getKubeConfigCmd.Flags().StringP( getKubeConfigCmdTokenFlagName, - "t", "", - "The credential to include in the resulting kubeconfig output (Required)", + "", + "Credential to include in the resulting kubeconfig output (Required)", ) err := getKubeConfigCmd.MarkFlagRequired(getKubeConfigCmdTokenFlagName) if err != nil { panic(err) } + + getKubeConfigCmd.Flags().StringP( + getKubeConfigCmdKubeconfigFlagName, + "", + "", + "Path to the kubeconfig file", + ) + + getKubeConfigCmd.Flags().StringP( + getKubeConfigCmdKubeconfigContextFlagName, + "", + "", + "Kubeconfig context override", + ) + + getKubeConfigCmd.Flags().StringP( + getKubeConfigCmdPinnipedNamespaceFlagName, + "", + "pinniped", + "Namespace in which Pinniped was installed", + ) } func runGetKubeConfig(cmd *cobra.Command, _ []string) { token := cmd.Flag(getKubeConfigCmdTokenFlagName).Value.String() + kubeconfigPathOverride := cmd.Flag(getKubeConfigCmdKubeconfigFlagName).Value.String() + currentContextOverride := cmd.Flag(getKubeConfigCmdKubeconfigContextFlagName).Value.String() + pinnipedInstallationNamespace := cmd.Flag(getKubeConfigCmdPinnipedNamespaceFlagName).Value.String() - err := getKubeConfig(os.Stdout, token) + err := getKubeConfig( + os.Stdout, + os.Stderr, + token, + kubeconfigPathOverride, + currentContextOverride, + pinnipedInstallationNamespace, + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + return pinnipedclientset.NewForConfig(restConfig) + }, + ) if err != nil { _, _ = fmt.Fprintf(os.Stderr, "error: %s\n", err.Error()) @@ -68,45 +122,157 @@ func runGetKubeConfig(cmd *cobra.Command, _ []string) { } } -func getKubeConfig(outputWriter io.Writer, token string) error { - clusterName := "pinniped-cluster" - userName := "pinniped-user" +func getKubeConfig( + outputWriter io.Writer, + warningsWriter io.Writer, + token string, + kubeconfigPathOverride string, + currentContextNameOverride string, + pinnipedInstallationNamespace string, + kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error), +) error { + if token == "" { + return fmt.Errorf("--" + getKubeConfigCmdTokenFlagName + " flag value cannot be empty") + } fullPathToSelf, err := os.Executable() if err != nil { return fmt.Errorf("could not find path to self: %w", err) } - config := v1.Config{ - Kind: "Config", - APIVersion: v1.SchemeGroupVersion.Version, - Preferences: v1.Preferences{ - Colors: false, // TODO what does this setting do? - Extensions: nil, - }, + clientConfig := newClientConfig(kubeconfigPathOverride, currentContextNameOverride) + + currentKubeConfig, err := clientConfig.RawConfig() + if err != nil { + return err + } + + credentialIssuerConfig, err := fetchPinnipedCredentialIssuerConfig(clientConfig, kubeClientCreator, pinnipedInstallationNamespace) + if err != nil { + return err + } + + v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(err, currentKubeConfig, currentContextNameOverride) + if err != nil { + return err + } + + // TODO handle when credentialIssuerConfig has no Status or no KubeConfigInfo + + err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuerConfig, warningsWriter) + if err != nil { + return err + } + + config := newPinnipedKubeconfig(v1Cluster, fullPathToSelf, token) + + err = writeConfigAsYAML(outputWriter, config) + if err != nil { + return err + } + + return nil +} + +func issueWarningForNonMatchingServerOrCA(v1Cluster v1.Cluster, credentialIssuerConfig *v1alpha1.CredentialIssuerConfig, warningsWriter io.Writer) error { + credentialIssuerConfigCA, err := base64.StdEncoding.DecodeString(credentialIssuerConfig.Status.KubeConfigInfo.CertificateAuthorityData) + if err != nil { + return err + } + if v1Cluster.Server != credentialIssuerConfig.Status.KubeConfigInfo.Server || + !bytes.Equal(v1Cluster.CertificateAuthorityData, credentialIssuerConfigCA) { + _, err := warningsWriter.Write([]byte("WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n")) + if err != nil { + return fmt.Errorf("output write error: %w", err) + } + } + return nil +} + +func fetchPinnipedCredentialIssuerConfig(clientConfig clientcmd.ClientConfig, kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error), pinnipedInstallationNamespace string) (*v1alpha1.CredentialIssuerConfig, error) { + restConfig, err := clientConfig.ClientConfig() + if err != nil { + return nil, err + } + clientset, err := kubeClientCreator(restConfig) + if err != nil { + return nil, err + } + + ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*20) + defer cancelFunc() + + credentialIssuerConfig, err := clientset.CrdV1alpha1().CredentialIssuerConfigs(pinnipedInstallationNamespace).Get(ctx, issuerconfig.ConfigName, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + return nil, fmt.Errorf( + `CredentialIssuerConfig "%s" was not found in namespace "%s". Is Pinniped installed on this cluster in namespace "%s"?`, + issuerconfig.ConfigName, + pinnipedInstallationNamespace, + pinnipedInstallationNamespace, + ) + } + return nil, err + } + + return credentialIssuerConfig, nil +} + +func newClientConfig(kubeconfigPathOverride string, currentContextName string) clientcmd.ClientConfig { + loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() + loadingRules.ExplicitPath = kubeconfigPathOverride + clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{ + CurrentContext: currentContextName, + }) + return clientConfig +} + +func writeConfigAsYAML(outputWriter io.Writer, config v1.Config) error { + output, err := yaml.Marshal(&config) + if err != nil { + return fmt.Errorf("YAML serialization error: %w", err) + } + + _, err = outputWriter.Write(output) + if err != nil { + return fmt.Errorf("output write error: %w", err) + } + + return nil +} + +func copyCurrentClusterFromExistingKubeConfig(err error, currentKubeConfig clientcmdapi.Config, currentContextNameOverride string) (v1.Cluster, error) { + v1Cluster := v1.Cluster{} + + contextName := currentKubeConfig.CurrentContext + if currentContextNameOverride != "" { + contextName = currentContextNameOverride + } + + err = v1.Convert_api_Cluster_To_v1_Cluster( + currentKubeConfig.Clusters[currentKubeConfig.Contexts[contextName].Cluster], + &v1Cluster, + nil, + ) + if err != nil { + return v1.Cluster{}, err + } + + return v1Cluster, nil +} + +func newPinnipedKubeconfig(v1Cluster v1.Cluster, fullPathToSelf string, token string) v1.Config { + clusterName := "pinniped-cluster" + userName := "pinniped-user" + + return v1.Config{ + Kind: "Config", + APIVersion: v1.SchemeGroupVersion.Version, + Preferences: v1.Preferences{}, Clusters: []v1.NamedCluster{ { Name: clusterName, - Cluster: v1.Cluster{}, // TODO fill in server and cert authority and such - }, - }, - AuthInfos: []v1.NamedAuthInfo{ - { - Name: userName, - AuthInfo: v1.AuthInfo{ - Exec: &v1.ExecConfig{ - Command: fullPathToSelf, - Args: []string{"exchange-credential"}, - Env: []v1.ExecEnvVar{ - {Name: "PINNIPED_K8S_API_ENDPOINT", Value: ""}, // TODO fill in value - {Name: "PINNIPED_CA_BUNDLE", Value: ""}, // TODO fill in value - {Name: "PINNIPED_TOKEN", Value: token}, - }, - APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(), - InstallHint: "The Pinniped CLI is required to authenticate to the current cluster.\n" + - "For more information, please visit https://pinniped.dev", - }, - }, + Cluster: v1Cluster, }, }, Contexts: []v1.NamedContext{ @@ -118,19 +284,25 @@ func getKubeConfig(outputWriter io.Writer, token string) error { }, }, }, + AuthInfos: []v1.NamedAuthInfo{ + { + Name: userName, + AuthInfo: v1.AuthInfo{ + Exec: &v1.ExecConfig{ + Command: fullPathToSelf, + Args: []string{"exchange-credential"}, + Env: []v1.ExecEnvVar{ + {Name: "PINNIPED_K8S_API_ENDPOINT", Value: v1Cluster.Server}, + {Name: "PINNIPED_CA_BUNDLE", Value: string(v1Cluster.CertificateAuthorityData)}, + {Name: "PINNIPED_TOKEN", Value: token}, + }, + APIVersion: clientauthenticationv1beta1.SchemeGroupVersion.String(), + InstallHint: "The Pinniped CLI is required to authenticate to the current cluster.\n" + + "For more information, please visit https://pinniped.dev", + }, + }, + }, + }, CurrentContext: clusterName, - Extensions: nil, } - - output, err := yaml.Marshal(&config) - if err != nil { - return fmt.Errorf("YAML serialization error: %w", err) - } - - _, err = fmt.Fprint(outputWriter, string(output)) - if err != nil { - return fmt.Errorf("output write error: %w", err) - } - - return nil } diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go index feccb96bd..a99a47951 100644 --- a/cmd/pinniped/cmd/get_kubeconfig_test.go +++ b/cmd/pinniped/cmd/get_kubeconfig_test.go @@ -7,70 +7,422 @@ package cmd import ( "bytes" + "encoding/base64" + "fmt" "os" "testing" "github.com/sclevine/spec" "github.com/sclevine/spec/report" "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/rest" + crdpinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" + pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" "github.com/suzerain-io/pinniped/internal/here" ) +// TODO write a test for the help message and command line flags similar to server_test.go + +func expectedKubeconfigYAML(clusterCAData, clusterServer, command, token, pinnipedEndpoint, pinnipedCABundle string) string { + return here.Docf(` + apiVersion: v1 + clusters: + - cluster: + certificate-authority-data: %s + server: %s + name: pinniped-cluster + contexts: + - context: + cluster: pinniped-cluster + user: pinniped-user + name: pinniped-cluster + current-context: pinniped-cluster + kind: Config + preferences: {} + users: + - name: pinniped-user + user: + exec: + apiVersion: client.authentication.k8s.io/v1beta1 + args: + - exchange-credential + command: %s + env: + - name: PINNIPED_K8S_API_ENDPOINT + value: %s + - name: PINNIPED_CA_BUNDLE + value: %s + - name: PINNIPED_TOKEN + value: %s + installHint: |- + The Pinniped CLI is required to authenticate to the current cluster. + For more information, please visit https://pinniped.dev + `, clusterCAData, clusterServer, command, pinnipedEndpoint, pinnipedCABundle, token) +} + +func newCredentialIssuerConfig(server, certificateAuthorityData string) *crdpinnipedv1alpha1.CredentialIssuerConfig { + return &crdpinnipedv1alpha1.CredentialIssuerConfig{ + TypeMeta: metav1.TypeMeta{ + Kind: "CredentialIssuerConfig", + APIVersion: crdpinnipedv1alpha1.SchemeGroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-config", + Namespace: "some-namespace", + }, + Status: crdpinnipedv1alpha1.CredentialIssuerConfigStatus{ + KubeConfigInfo: &crdpinnipedv1alpha1.CredentialIssuerConfigKubeConfigInfo{ + Server: server, + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(certificateAuthorityData)), + }, + }, + } +} + func TestGetKubeConfig(t *testing.T) { spec.Run(t, "cmd.getKubeConfig", func(t *testing.T, when spec.G, it spec.S) { var r *require.Assertions - var buffer *bytes.Buffer + var outputBuffer *bytes.Buffer + var warningsBuffer *bytes.Buffer var fullPathToSelf string + var pinnipedClient *pinnipedfake.Clientset it.Before(func() { r = require.New(t) - buffer = new(bytes.Buffer) + + outputBuffer = new(bytes.Buffer) + warningsBuffer = new(bytes.Buffer) var err error fullPathToSelf, err = os.Executable() r.NoError(err) + + pinnipedClient = pinnipedfake.NewSimpleClientset() }) - it("writes the kubeconfig to the given writer", func() { - err := getKubeConfig(buffer, "some-token") - r.NoError(err) + when("the CredentialIssuerConfig is found on the cluster with a configuration that matches the existing kubeconfig", func() { + it.Before(func() { + r.NoError(pinnipedClient.Tracker().Add( + newCredentialIssuerConfig("https://fake-server-url-value", "fake-certificate-authority-data-value"), + )) + }) - expectedYAML := here.Docf(` - apiVersion: v1 - clusters: - - cluster: - server: "" - name: pinniped-cluster - contexts: - - context: - cluster: pinniped-cluster - user: pinniped-user - name: pinniped-cluster - current-context: pinniped-cluster - kind: Config - preferences: {} - users: - - name: pinniped-user - user: - exec: - apiVersion: client.authentication.k8s.io/v1beta1 - args: - - exchange-credential - command: %s - env: - - name: PINNIPED_K8S_API_ENDPOINT - value: "" - - name: PINNIPED_CA_BUNDLE - value: "" - - name: PINNIPED_TOKEN - value: some-token - installHint: |- - The Pinniped CLI is required to authenticate to the current cluster. - For more information, please visit https://pinniped.dev - `, fullPathToSelf) + it("writes the kubeconfig to the given writer", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) - r.Equal(expectedYAML, buffer.String()) + r.Empty(warningsBuffer.String()) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")), + "https://fake-server-url-value", + fullPathToSelf, + "some-token", + "https://fake-server-url-value", + "fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + + when("the currentContextOverride is used to specify a context other than the default context", func() { + it.Before(func() { + // update the Server and CertificateAuthorityData to make them match the other kubeconfig context + r.NoError(pinnipedClient.Tracker().Update( + schema.GroupVersionResource{ + Group: crdpinnipedv1alpha1.GroupName, + Version: crdpinnipedv1alpha1.SchemeGroupVersion.Version, + Resource: "credentialissuerconfigs", + }, + newCredentialIssuerConfig( + "https://some-other-fake-server-url-value", + "some-other-fake-certificate-authority-data-value", + ), + "some-namespace", + )) + }) + + when("that context exists", func() { + it("writes the kubeconfig to the given writer using the specified context", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "some-other-context", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://some-other-fake-server-url-value", restConfig.Host) + r.Equal("some-other-fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Empty(warningsBuffer.String()) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("some-other-fake-certificate-authority-data-value")), + "https://some-other-fake-server-url-value", + fullPathToSelf, + "some-token", + "https://some-other-fake-server-url-value", + "some-other-fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + }) + + when("that context does not exist the in the current kubeconfig", func() { + it("returns an error", func() { + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "this-context-name-does-not-exist-in-kubeconfig.yaml", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil }, + ) + r.EqualError(err, `context "this-context-name-does-not-exist-in-kubeconfig.yaml" does not exist`) + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + }) + + when("the token passed in is empty", func() { + it("returns an error", func() { + err := getKubeConfig(outputBuffer, + warningsBuffer, + "", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil }, + ) + r.EqualError(err, "--token flag value cannot be empty") + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + + when("the kubeconfig path passed refers to a file that does not exist", func() { + it("returns an error", func() { + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/this-file-does-not-exist.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { return pinnipedClient, nil }, + ) + r.EqualError(err, "stat ./testdata/this-file-does-not-exist.yaml: no such file or directory") + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + + when("the kubeconfig path parameter is empty", func() { + it.Before(func() { + // Note that this is technically polluting other parallel tests in this file, but other tests + // are always specifying the kubeconfigPathOverride parameter, so they're not actually looking + // at the value of this environment variable. + r.NoError(os.Setenv("KUBECONFIG", "./testdata/kubeconfig.yaml")) + }) + + it.After(func() { + r.NoError(os.Unsetenv("KUBECONFIG")) + }) + + it("falls back to using the KUBECONFIG env var to find the kubeconfig file", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Empty(warningsBuffer.String()) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")), + "https://fake-server-url-value", + fullPathToSelf, + "some-token", + "https://fake-server-url-value", + "fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + }) + + when("the wrong pinniped namespace is passed in", func() { + it("returns an error", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "this-is-the-wrong-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was not found in namespace "this-is-the-wrong-namespace". Is Pinniped installed on this cluster in namespace "this-is-the-wrong-namespace"?`) + r.True(kubeClientCreatorFuncWasCalled) + }) + }) }) + + when("the CredentialIssuerConfig is found on the cluster with a configuration that does not match the existing kubeconfig", func() { + when("the Server doesn't match", func() { + it.Before(func() { + r.NoError(pinnipedClient.Tracker().Add( + newCredentialIssuerConfig("non-matching-pinniped-server-url", "fake-certificate-authority-data-value"), + )) + }) + + it("writes the kubeconfig to the given writer using the values found in the local kubeconfig and issues a warning", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Equal( + "WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n", + warningsBuffer.String(), + ) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")), + "https://fake-server-url-value", + fullPathToSelf, + "some-token", + "https://fake-server-url-value", + "fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + }) + + when("the CA doesn't match", func() { + it.Before(func() { + r.NoError(pinnipedClient.Tracker().Add( + newCredentialIssuerConfig("https://fake-server-url-value", "non-matching-certificate-authority-data-value"), + )) + }) + + it("writes the kubeconfig to the given writer using the values found in the local kubeconfig and issues a warning", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.NoError(err) + r.True(kubeClientCreatorFuncWasCalled) + + r.Equal( + "WARNING: Server and certificate authority did not match between local kubeconfig and Pinniped's CredentialIssuerConfig on the cluster. Using local kubeconfig values.\n", + warningsBuffer.String(), + ) + r.Equal(expectedKubeconfigYAML( + base64.StdEncoding.EncodeToString([]byte("fake-certificate-authority-data-value")), + "https://fake-server-url-value", + fullPathToSelf, + "some-token", + "https://fake-server-url-value", + "fake-certificate-authority-data-value", + ), outputBuffer.String()) + }) + }) + }) + + when("the CredentialIssuerConfig does not exist on the cluster", func() { + it("returns an error", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.True(kubeClientCreatorFuncWasCalled) + r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was not found in namespace "some-namespace". Is Pinniped installed on this cluster in namespace "some-namespace"?`) + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + + when("there is an error while getting the CredentialIssuerConfig from the cluster", func() { + it("returns an error", func() { + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + return nil, fmt.Errorf("some error getting CredentialIssuerConfig") + }, + ) + r.EqualError(err, "some error getting CredentialIssuerConfig") + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) } diff --git a/cmd/pinniped/cmd/testdata/kubeconfig.yaml b/cmd/pinniped/cmd/testdata/kubeconfig.yaml new file mode 100644 index 000000000..c89a226ec --- /dev/null +++ b/cmd/pinniped/cmd/testdata/kubeconfig.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +clusters: + - cluster: + certificate-authority-data: ZmFrZS1jZXJ0aWZpY2F0ZS1hdXRob3JpdHktZGF0YS12YWx1ZQ== # fake-certificate-authority-data-value + server: https://fake-server-url-value + name: kind-kind + - cluster: + certificate-authority-data: c29tZS1vdGhlci1mYWtlLWNlcnRpZmljYXRlLWF1dGhvcml0eS1kYXRhLXZhbHVl # some-other-fake-certificate-authority-data-value + server: https://some-other-fake-server-url-value + name: some-other-cluster +contexts: + - context: + cluster: kind-kind + user: kind-kind + name: kind-kind + - context: + cluster: some-other-cluster + user: some-other-user + name: some-other-context +current-context: kind-kind +kind: Config +preferences: {} +users: + - name: kind-kind + user: + client-certificate-data: ZmFrZS1jbGllbnQtY2VydGlmaWNhdGUtZGF0YS12YWx1ZQ== # fake-client-certificate-data-value + client-key-data: ZmFrZS1jbGllbnQta2V5LWRhdGEtdmFsdWU= # fake-client-key-data-value + - name: some-other-user + user: + client-certificate-data: c29tZS1vdGhlci1mYWtlLWNsaWVudC1jZXJ0aWZpY2F0ZS1kYXRhLXZhbHVl # some-other-fake-client-certificate-data-value + client-key-data: c29tZS1vdGhlci1mYWtlLWNsaWVudC1rZXktZGF0YS12YWx1ZQ== # some-other-fake-client-key-data-value diff --git a/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go b/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go index 071387891..99410e9bf 100644 --- a/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go +++ b/internal/controller/issuerconfig/create_or_update_credential_issuer_config.go @@ -28,7 +28,7 @@ func CreateOrUpdateCredentialIssuerConfig( existingCredentialIssuerConfig, err := pinnipedClient. CrdV1alpha1(). CredentialIssuerConfigs(credentialIssuerConfigNamespace). - Get(ctx, configName, metav1.GetOptions{}) + Get(ctx, ConfigName, metav1.GetOptions{}) notFound := k8serrors.IsNotFound(err) if err != nil && !notFound { @@ -39,7 +39,7 @@ func CreateOrUpdateCredentialIssuerConfig( ctx, existingCredentialIssuerConfig, notFound, - configName, + ConfigName, credentialIssuerConfigNamespace, pinnipedClient, applyUpdatesToCredentialIssuerConfigFunc) diff --git a/internal/controller/issuerconfig/publisher.go b/internal/controller/issuerconfig/publisher.go index 46774514d..82bf52931 100644 --- a/internal/controller/issuerconfig/publisher.go +++ b/internal/controller/issuerconfig/publisher.go @@ -24,10 +24,10 @@ import ( const ( ClusterInfoNamespace = "kube-public" + ConfigName = "pinniped-config" + clusterInfoName = "cluster-info" clusterInfoConfigMapKey = "kubeconfig" - - configName = "pinniped-config" ) type publisherController struct { @@ -64,7 +64,7 @@ func NewPublisherController( ), withInformer( credentialIssuerConfigInformer, - pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(configName, namespace), + pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(ConfigName, namespace), controllerlib.InformerOption{}, ), ) @@ -114,7 +114,7 @@ func (c *publisherController) Sync(ctx controllerlib.Context) error { existingCredentialIssuerConfigFromInformerCache, err := c.credentialIssuerConfigInformer. Lister(). CredentialIssuerConfigs(c.namespace). - Get(configName) + Get(ConfigName) notFound = k8serrors.IsNotFound(err) if err != nil && !notFound { return fmt.Errorf("could not get credentialissuerconfig: %w", err) @@ -131,7 +131,7 @@ func (c *publisherController) Sync(ctx controllerlib.Context) error { ctx.Context, existingCredentialIssuerConfigFromInformerCache, notFound, - configName, + ConfigName, c.namespace, c.pinnipedClient, updateServerAndCAFunc) From 879d847ffb092387db9587aea26f6be50af310a9 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Tue, 15 Sep 2020 10:04:25 -0400 Subject: [PATCH 09/32] cmd/pinniped/cmd: add get-kubeconfig cli tests Signed-off-by: Andrew Keesler --- cmd/pinniped/cmd/get_kubeconfig.go | 75 +++++++-- cmd/pinniped/cmd/get_kubeconfig_test.go | 215 +++++++++++++++++++++++- 2 files changed, 271 insertions(+), 19 deletions(-) diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go index a92a4f969..1c4937ca1 100644 --- a/cmd/pinniped/cmd/get_kubeconfig.go +++ b/cmd/pinniped/cmd/get_kubeconfig.go @@ -26,6 +26,7 @@ import ( "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" + "github.com/suzerain-io/pinniped/internal/constable" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/here" ) @@ -39,8 +40,42 @@ const ( //nolint: gochecknoinits func init() { - getKubeConfigCmd := &cobra.Command{ - Run: runGetKubeConfig, + rootCmd.AddCommand(newGetKubeConfigCmd(os.Args, os.Stdout, os.Stderr).cmd) +} + +type getKubeConfigCommand struct { + // runFunc is called by the cobra.Command.Run hook. It is included here for + // testability. + runFunc func( + stdout, stderr io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) + + // cmd is the cobra.Command for this CLI command. It is included here for + // testability. + cmd *cobra.Command +} + +func newGetKubeConfigCmd(args []string, stdout, stderr io.Writer) *getKubeConfigCommand { + c := &getKubeConfigCommand{ + runFunc: runGetKubeConfig, + } + + c.cmd = &cobra.Command{ + Run: func(cmd *cobra.Command, _ []string) { + token := cmd.Flag(getKubeConfigCmdTokenFlagName).Value.String() + kubeconfigPathOverride := cmd.Flag(getKubeConfigCmdKubeconfigFlagName).Value.String() + currentContextOverride := cmd.Flag(getKubeConfigCmdKubeconfigContextFlagName).Value.String() + pinnipedInstallationNamespace := cmd.Flag(getKubeConfigCmdPinnipedNamespaceFlagName).Value.String() + c.runFunc( + stdout, + stderr, + token, + kubeconfigPathOverride, + currentContextOverride, + pinnipedInstallationNamespace, + ) + }, Args: cobra.NoArgs, // do not accept positional arguments for this command Use: "get-kubeconfig", Short: "Print a kubeconfig for authenticating into a cluster via Pinniped", @@ -63,50 +98,52 @@ func init() { `), } - rootCmd.AddCommand(getKubeConfigCmd) + c.cmd.SetArgs(args) + c.cmd.SetOut(stdout) + c.cmd.SetErr(stderr) - getKubeConfigCmd.Flags().StringP( + c.cmd.Flags().StringP( getKubeConfigCmdTokenFlagName, "", "", "Credential to include in the resulting kubeconfig output (Required)", ) - err := getKubeConfigCmd.MarkFlagRequired(getKubeConfigCmdTokenFlagName) + err := c.cmd.MarkFlagRequired(getKubeConfigCmdTokenFlagName) if err != nil { panic(err) } - getKubeConfigCmd.Flags().StringP( + c.cmd.Flags().StringP( getKubeConfigCmdKubeconfigFlagName, "", "", "Path to the kubeconfig file", ) - getKubeConfigCmd.Flags().StringP( + c.cmd.Flags().StringP( getKubeConfigCmdKubeconfigContextFlagName, "", "", "Kubeconfig context override", ) - getKubeConfigCmd.Flags().StringP( + c.cmd.Flags().StringP( getKubeConfigCmdPinnipedNamespaceFlagName, "", "pinniped", "Namespace in which Pinniped was installed", ) + + return c } -func runGetKubeConfig(cmd *cobra.Command, _ []string) { - token := cmd.Flag(getKubeConfigCmdTokenFlagName).Value.String() - kubeconfigPathOverride := cmd.Flag(getKubeConfigCmdKubeconfigFlagName).Value.String() - currentContextOverride := cmd.Flag(getKubeConfigCmdKubeconfigContextFlagName).Value.String() - pinnipedInstallationNamespace := cmd.Flag(getKubeConfigCmdPinnipedNamespaceFlagName).Value.String() - +func runGetKubeConfig( + stdout, stderr io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, +) { err := getKubeConfig( - os.Stdout, - os.Stderr, + stdout, + stderr, token, kubeconfigPathOverride, currentContextOverride, @@ -152,13 +189,15 @@ func getKubeConfig( return err } + if credentialIssuerConfig.Status.KubeConfigInfo == nil { + return constable.Error(`CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`) + } + v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(err, currentKubeConfig, currentContextNameOverride) if err != nil { return err } - // TODO handle when credentialIssuerConfig has no Status or no KubeConfigInfo - err = issueWarningForNonMatchingServerOrCA(v1Cluster, credentialIssuerConfig, warningsWriter) if err != nil { return err diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go index a99a47951..e08316cfc 100644 --- a/cmd/pinniped/cmd/get_kubeconfig_test.go +++ b/cmd/pinniped/cmd/get_kubeconfig_test.go @@ -9,6 +9,7 @@ import ( "bytes" "encoding/base64" "fmt" + "io" "os" "testing" @@ -25,7 +26,180 @@ import ( "github.com/suzerain-io/pinniped/internal/here" ) -// TODO write a test for the help message and command line flags similar to server_test.go +const ( + knownGoodUsage = ` +Usage: + get-kubeconfig [flags] + +Flags: + -h, --help help for get-kubeconfig + --kubeconfig string Path to the kubeconfig file + --kubeconfig-context string Kubeconfig context override + --pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped") + --token string Credential to include in the resulting kubeconfig output (Required) + +` + + knownGoodHelp = `Print a kubeconfig for authenticating into a cluster via Pinniped. + +Requires admin-like access to the cluster using the current +kubeconfig context in order to access Pinniped's metadata. +The current kubeconfig is found similar to how kubectl finds it: +using the value of the --kubeconfig option, or if that is not +specified then from the value of the KUBECONFIG environment +variable, or if that is not specified then it defaults to +.kube/config in your home directory. + +Prints a kubeconfig which is suitable to access the cluster using +Pinniped as the authentication mechanism. This kubeconfig output +can be saved to a file and used with future kubectl commands, e.g.: + pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig + kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods + +Usage: + get-kubeconfig [flags] + +Flags: + -h, --help help for get-kubeconfig + --kubeconfig string Path to the kubeconfig file + --kubeconfig-context string Kubeconfig context override + --pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped") + --token string Credential to include in the resulting kubeconfig output (Required) +` +) + +func TestNewGetKubeConfigCmd(t *testing.T) { + spec.Run(t, "newGetKubeConfigCmd", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + var stdout, stderr *bytes.Buffer + + it.Before(func() { + r = require.New(t) + + stdout, stderr = bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{}) + }) + + it("passes all flags to runFunc", func() { + args := []string{ + "--token", "some-token", + "--kubeconfig", "some-kubeconfig", + "--kubeconfig-context", "some-kubeconfig-context", + "--pinniped-namespace", "some-pinniped-namespace", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + r.Equal("some-token", token) + r.Equal("some-kubeconfig", kubeconfigPathOverride) + r.Equal("some-kubeconfig-context", currentContextOverride) + r.Equal("some-pinniped-namespace", pinnipedInstallationNamespace) + } + + r.NoError(c.cmd.Execute()) + r.True(runFuncCalled) + r.Empty(stdout.String()) + r.Empty(stderr.String()) + }) + + it("requires the 'token' flag", func() { + args := []string{ + "--kubeconfig", "some-kubeconfig", + "--kubeconfig-context", "some-kubeconfig-context", + "--pinniped-namespace", "some-pinniped-namespace", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + } + + errorMessage := `required flag(s) "token" not set` + r.EqualError(c.cmd.Execute(), errorMessage) + r.False(runFuncCalled) + + output := "Error: " + errorMessage + knownGoodUsage + r.Equal(output, stdout.String()) + r.Empty(stderr.String()) + }) + + it("defaults the flags correctly", func() { + args := []string{ + "--token", "some-token", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + r.Equal("some-token", token) + r.Equal("", kubeconfigPathOverride) + r.Equal("", currentContextOverride) + r.Equal("pinniped", pinnipedInstallationNamespace) + } + + r.NoError(c.cmd.Execute()) + r.True(runFuncCalled) + r.Empty(stdout.String()) + r.Empty(stderr.String()) + }) + + it("fails when args are passed", func() { + args := []string{ + "--token", "some-token", + "some-arg", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + } + + errorMessage := `unknown command "some-arg" for "get-kubeconfig"` + r.EqualError(c.cmd.Execute(), errorMessage) + r.False(runFuncCalled) + + output := "Error: " + errorMessage + knownGoodUsage + r.Equal(output, stdout.String()) + r.Empty(stderr.String()) + }) + + it("prints a nice help message", func() { + args := []string{ + "--help", + } + c := newGetKubeConfigCmd(args, stdout, stderr) + + runFuncCalled := false + c.runFunc = func( + out, err io.Writer, + token, kubeconfigPathOverride, currentContextOverride, pinnipedInstallationNamespace string, + ) { + runFuncCalled = true + } + + r.NoError(c.cmd.Execute()) + r.False(runFuncCalled) + r.Equal(knownGoodHelp, stdout.String()) + r.Empty(stderr.String()) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) +} func expectedKubeconfigYAML(clusterCAData, clusterServer, command, token, pinnipedEndpoint, pinnipedCABundle string) string { return here.Docf(` @@ -383,6 +557,45 @@ func TestGetKubeConfig(t *testing.T) { }) }) + when("the CredentialIssuerConfig is found on the cluster with an empty KubeConfigInfo", func() { + it.Before(func() { + r.NoError(pinnipedClient.Tracker().Add( + &crdpinnipedv1alpha1.CredentialIssuerConfig{ + TypeMeta: metav1.TypeMeta{ + Kind: "CredentialIssuerConfig", + APIVersion: crdpinnipedv1alpha1.SchemeGroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-config", + Namespace: "some-namespace", + }, + Status: crdpinnipedv1alpha1.CredentialIssuerConfigStatus{}, + }, + )) + }) + + it("returns an error", func() { + kubeClientCreatorFuncWasCalled := false + err := getKubeConfig(outputBuffer, + warningsBuffer, + "some-token", + "./testdata/kubeconfig.yaml", + "", + "some-namespace", + func(restConfig *rest.Config) (pinnipedclientset.Interface, error) { + kubeClientCreatorFuncWasCalled = true + r.Equal("https://fake-server-url-value", restConfig.Host) + r.Equal("fake-certificate-authority-data-value", string(restConfig.CAData)) + return pinnipedClient, nil + }, + ) + r.True(kubeClientCreatorFuncWasCalled) + r.EqualError(err, `CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`) + r.Empty(warningsBuffer.String()) + r.Empty(outputBuffer.String()) + }) + }) + when("the CredentialIssuerConfig does not exist on the cluster", func() { it("returns an error", func() { kubeClientCreatorFuncWasCalled := false From 82ef9e480654a2eddcdc3b084717c12b6ead1bf0 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Tue, 15 Sep 2020 11:00:00 -0400 Subject: [PATCH 10/32] cmd/pinniped/cmd: fix some linting errors Signed-off-by: Andrew Keesler --- cmd/pinniped/cmd/get_kubeconfig.go | 12 ++++++------ cmd/pinniped/cmd/get_kubeconfig_test.go | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/cmd/pinniped/cmd/get_kubeconfig.go b/cmd/pinniped/cmd/get_kubeconfig.go index 1c4937ca1..ff9b98adb 100644 --- a/cmd/pinniped/cmd/get_kubeconfig.go +++ b/cmd/pinniped/cmd/get_kubeconfig.go @@ -169,7 +169,7 @@ func getKubeConfig( kubeClientCreator func(restConfig *rest.Config) (pinnipedclientset.Interface, error), ) error { if token == "" { - return fmt.Errorf("--" + getKubeConfigCmdTokenFlagName + " flag value cannot be empty") + return constable.Error("--" + getKubeConfigCmdTokenFlagName + " flag value cannot be empty") } fullPathToSelf, err := os.Executable() @@ -193,7 +193,7 @@ func getKubeConfig( return constable.Error(`CredentialIssuerConfig "pinniped-config" was missing KubeConfigInfo`) } - v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(err, currentKubeConfig, currentContextNameOverride) + v1Cluster, err := copyCurrentClusterFromExistingKubeConfig(currentKubeConfig, currentContextNameOverride) if err != nil { return err } @@ -244,12 +244,12 @@ func fetchPinnipedCredentialIssuerConfig(clientConfig clientcmd.ClientConfig, ku credentialIssuerConfig, err := clientset.CrdV1alpha1().CredentialIssuerConfigs(pinnipedInstallationNamespace).Get(ctx, issuerconfig.ConfigName, metav1.GetOptions{}) if err != nil { if apierrors.IsNotFound(err) { - return nil, fmt.Errorf( + return nil, constable.Error(fmt.Sprintf( `CredentialIssuerConfig "%s" was not found in namespace "%s". Is Pinniped installed on this cluster in namespace "%s"?`, issuerconfig.ConfigName, pinnipedInstallationNamespace, pinnipedInstallationNamespace, - ) + )) } return nil, err } @@ -280,7 +280,7 @@ func writeConfigAsYAML(outputWriter io.Writer, config v1.Config) error { return nil } -func copyCurrentClusterFromExistingKubeConfig(err error, currentKubeConfig clientcmdapi.Config, currentContextNameOverride string) (v1.Cluster, error) { +func copyCurrentClusterFromExistingKubeConfig(currentKubeConfig clientcmdapi.Config, currentContextNameOverride string) (v1.Cluster, error) { v1Cluster := v1.Cluster{} contextName := currentKubeConfig.CurrentContext @@ -288,7 +288,7 @@ func copyCurrentClusterFromExistingKubeConfig(err error, currentKubeConfig clien contextName = currentContextNameOverride } - err = v1.Convert_api_Cluster_To_v1_Cluster( + err := v1.Convert_api_Cluster_To_v1_Cluster( currentKubeConfig.Clusters[currentKubeConfig.Contexts[contextName].Cluster], &v1Cluster, nil, diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go index e08316cfc..87ad76589 100644 --- a/cmd/pinniped/cmd/get_kubeconfig_test.go +++ b/cmd/pinniped/cmd/get_kubeconfig_test.go @@ -201,6 +201,7 @@ func TestNewGetKubeConfigCmd(t *testing.T) { }, spec.Parallel(), spec.Report(report.Terminal{})) } +//nolint: unparam func expectedKubeconfigYAML(clusterCAData, clusterServer, command, token, pinnipedEndpoint, pinnipedCABundle string) string { return here.Docf(` apiVersion: v1 @@ -636,6 +637,5 @@ func TestGetKubeConfig(t *testing.T) { r.Empty(outputBuffer.String()) }) }) - }, spec.Parallel(), spec.Report(report.Terminal{})) } From 831df90c93148a4f41c25aa15bcd38f71e30e58a Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Tue, 15 Sep 2020 11:00:38 -0400 Subject: [PATCH 11/32] test/integration: add integration test for pinniped cli --- test/integration/cli_test.go | 91 ++++++++++++++++++ test/integration/common_test.go | 102 +++++++++++++++++++++ test/integration/credentialrequest_test.go | 67 ++------------ test/library/client.go | 16 ++++ 4 files changed, 217 insertions(+), 59 deletions(-) create mode 100644 test/integration/cli_test.go create mode 100644 test/integration/common_test.go diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go new file mode 100644 index 000000000..968af4e99 --- /dev/null +++ b/test/integration/cli_test.go @@ -0,0 +1,91 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ +package integration + +import ( + "context" + "io/ioutil" + "os" + "os/exec" + "path/filepath" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/require" + + "github.com/suzerain-io/pinniped/test/library" +) + +func TestCLI(t *testing.T) { + library.SkipUnlessIntegration(t) + library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) + token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN") + namespaceName := library.GetEnv(t, "PINNIPED_NAMESPACE") + testUsername := library.GetEnv(t, "PINNIPED_TEST_USER_USERNAME") + expectedTestUserGroups := strings.Split( + strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",", + ) + + // Build pinniped CLI. + pinnipedExe, cleanupFunc := buildPinnipedCLI(t) + defer cleanupFunc() + + // Run pinniped CLI to get kubeconfig. + kubeConfig := runPinnipedCLI(t, pinnipedExe, token, namespaceName) + + // Create Kubernetes client with kubeconfig from pinniped CLI. + kubeClient := library.NewClientsetForKubeConfig(t, kubeConfig) + + // Validate that we can auth to the API via our user. + ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*3) + defer cancelFunc() + + adminClient := library.NewClientset(t) + + t.Run("access as user", accessAsUserTest(ctx, adminClient, testUsername, kubeClient)) + for _, group := range expectedTestUserGroups { + group := group + t.Run( + "access as group "+group, + accessAsGroupTest(ctx, adminClient, group, kubeClient), + ) + } +} + +func buildPinnipedCLI(t *testing.T) (string, func()) { + t.Helper() + + pinnipedExeDir, err := ioutil.TempDir("", "pinniped-cli-test-*") + require.NoError(t, err) + + pinnipedExe := filepath.Join(pinnipedExeDir, "pinniped") + output, err := exec.Command( + "go", + "build", + "-o", + pinnipedExe, + "github.com/suzerain-io/pinniped/cmd/pinniped", + ).CombinedOutput() + require.NoError(t, err, string(output)) + + return pinnipedExe, func() { + require.NoError(t, os.RemoveAll(pinnipedExeDir)) + } +} + +func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) string { + t.Helper() + + output, err := exec.Command( + pinnipedExe, + "get-kubeconfig", + "--token", token, + "--pinniped-namespace", namespaceName, + ).CombinedOutput() + require.NoError(t, err, string(output)) + + return string(output) +} diff --git a/test/integration/common_test.go b/test/integration/common_test.go new file mode 100644 index 000000000..abd35975e --- /dev/null +++ b/test/integration/common_test.go @@ -0,0 +1,102 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ +package integration + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + v1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" +) + +// accessAsUserTest runs a generic test in which a clientUnderTest operating with username +// testUsername tries to auth to the kube API (i.e., list namespaces). +// +// Use this function if you want to simply validate that a user can auth to the kube API after +// performing a Pinniped credential exchange. +func accessAsUserTest( + ctx context.Context, + adminClient kubernetes.Interface, + testUsername string, + clientUnderTest kubernetes.Interface, +) func(t *testing.T) { + return func(t *testing.T) { + addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: "integration-test-user-readonly-role-binding", + }, + Subjects: []rbacv1.Subject{{ + Kind: rbacv1.UserKind, + APIGroup: rbacv1.GroupName, + Name: testUsername, + }}, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + APIGroup: rbacv1.GroupName, + Name: "view", + }, + }) + + // Use the client which is authenticated as the test user to list namespaces + var listNamespaceResponse *v1.NamespaceList + var err error + var canListNamespaces = func() bool { + listNamespaceResponse, err = clientUnderTest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) + return err == nil + } + assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond) + require.NoError(t, err) // prints out the error and stops the test in case of failure + require.NotEmpty(t, listNamespaceResponse.Items) + } +} + +// accessAsGroupTest runs a generic test in which a clientUnderTest with membership in group +// testGroup tries to auth to the kube API (i.e., list namespaces). +// +// Use this function if you want to simply validate that a user can auth to the kube API (via +// a group membership) after performing a Pinniped credential exchange. +func accessAsGroupTest( + ctx context.Context, + adminClient kubernetes.Interface, + testGroup string, + clientUnderTest kubernetes.Interface, +) func(t *testing.T) { + return func(t *testing.T) { + addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: "integration-test-group-readonly-role-binding", + }, + Subjects: []rbacv1.Subject{{ + Kind: rbacv1.GroupKind, + APIGroup: rbacv1.GroupName, + Name: testGroup, + }}, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + APIGroup: rbacv1.GroupName, + Name: "view", + }, + }) + + // Use the client which is authenticated as the test user to list namespaces + var listNamespaceResponse *v1.NamespaceList + var err error + var canListNamespaces = func() bool { + listNamespaceResponse, err = clientUnderTest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) + return err == nil + } + assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond) + require.NoError(t, err) // prints out the error and stops the test in case of failure + require.NotEmpty(t, listNamespaceResponse.Items) + } +} diff --git a/test/integration/credentialrequest_test.go b/test/integration/credentialrequest_test.go index 285578585..ba8bd773a 100644 --- a/test/integration/credentialrequest_test.go +++ b/test/integration/credentialrequest_test.go @@ -14,9 +14,7 @@ import ( "testing" "time" - "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - v1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -61,65 +59,16 @@ func TestSuccessfulCredentialRequest(t *testing.T) { response.Status.Credential.ClientKeyData, ) - t.Run("access as user", func(t *testing.T) { - addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{}, - ObjectMeta: metav1.ObjectMeta{ - Name: "integration-test-user-readonly-role-binding", - }, - Subjects: []rbacv1.Subject{{ - Kind: rbacv1.UserKind, - APIGroup: rbacv1.GroupName, - Name: testUsername, - }}, - RoleRef: rbacv1.RoleRef{ - Kind: "ClusterRole", - APIGroup: rbacv1.GroupName, - Name: "view", - }, - }) - - // Use the client which is authenticated as the test user to list namespaces - var listNamespaceResponse *v1.NamespaceList - var canListNamespaces = func() bool { - listNamespaceResponse, err = clientWithCertFromCredentialRequest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) - return err == nil - } - assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond) - require.NoError(t, err) // prints out the error and stops the test in case of failure - require.NotEmpty(t, listNamespaceResponse.Items) - }) - + t.Run( + "access as user", + accessAsUserTest(ctx, adminClient, testUsername, clientWithCertFromCredentialRequest), + ) for _, group := range expectedTestUserGroups { group := group - t.Run("access as group "+group, func(t *testing.T) { - addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{}, - ObjectMeta: metav1.ObjectMeta{ - Name: "integration-test-group-readonly-role-binding", - }, - Subjects: []rbacv1.Subject{{ - Kind: rbacv1.GroupKind, - APIGroup: rbacv1.GroupName, - Name: group, - }}, - RoleRef: rbacv1.RoleRef{ - Kind: "ClusterRole", - APIGroup: rbacv1.GroupName, - Name: "view", - }, - }) - - // Use the client which is authenticated as the test user to list namespaces - var listNamespaceResponse *v1.NamespaceList - var canListNamespaces = func() bool { - listNamespaceResponse, err = clientWithCertFromCredentialRequest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) - return err == nil - } - assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond) - require.NoError(t, err) // prints out the error and stops the test in case of failure - require.NotEmpty(t, listNamespaceResponse.Items) - }) + t.Run( + "access as group "+group, + accessAsGroupTest(ctx, adminClient, group, clientWithCertFromCredentialRequest), + ) } } diff --git a/test/library/client.go b/test/library/client.go index a7e895db4..1eb13328c 100644 --- a/test/library/client.go +++ b/test/library/client.go @@ -36,6 +36,22 @@ func NewClientset(t *testing.T) kubernetes.Interface { return newClientsetWithConfig(t, NewClientConfig(t)) } +func NewClientsetForKubeConfig(t *testing.T, kubeConfig string) kubernetes.Interface { + t.Helper() + + kubeConfigFile, err := ioutil.TempFile("", "pinniped-cli-test-*") + require.NoError(t, err) + defer os.Remove(kubeConfigFile.Name()) + + _, err = kubeConfigFile.Write([]byte(kubeConfig)) + require.NoError(t, err) + + restConfig, err := clientcmd.BuildConfigFromFlags("", kubeConfigFile.Name()) + require.NoError(t, err) + + return newClientsetWithConfig(t, restConfig) +} + func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface { t.Helper() From 4ced58b5b7da8052b884e0f1152e2d790e08a8d7 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 15 Sep 2020 09:05:40 -0700 Subject: [PATCH 12/32] Add help/usage units for CLI `exchange-credential` subcommand --- cmd/pinniped/cmd/exchange_credential.go | 40 ++++++-- cmd/pinniped/cmd/exchange_credential_test.go | 97 ++++++++++++++++++++ cmd/pinniped/cmd/get_kubeconfig_test.go | 73 +++++++-------- 3 files changed, 166 insertions(+), 44 deletions(-) diff --git a/cmd/pinniped/cmd/exchange_credential.go b/cmd/pinniped/cmd/exchange_credential.go index a9f3566f7..87f7b0f28 100644 --- a/cmd/pinniped/cmd/exchange_credential.go +++ b/cmd/pinniped/cmd/exchange_credential.go @@ -23,19 +23,39 @@ import ( //nolint: gochecknoinits func init() { - exchangeCredentialCmd := &cobra.Command{ - Run: runExchangeCredential, + rootCmd.AddCommand(newExchangeCredentialCmd(os.Args, os.Stdout, os.Stderr).cmd) +} + +type exchangeCredentialCommand struct { + // runFunc is called by the cobra.Command.Run hook. It is included here for + // testability. + runFunc func(stdout, stderr io.Writer) + + // cmd is the cobra.Command for this CLI command. It is included here for + // testability. + cmd *cobra.Command +} + +func newExchangeCredentialCmd(args []string, stdout, stderr io.Writer) *exchangeCredentialCommand { + c := &exchangeCredentialCommand{ + runFunc: runExchangeCredential, + } + + c.cmd = &cobra.Command{ + Run: func(cmd *cobra.Command, _ []string) { + c.runFunc(stdout, stderr) + }, Args: cobra.NoArgs, // do not accept positional arguments for this command Use: "exchange-credential", Short: "Exchange a credential for a cluster-specific access credential", Long: here.Doc(` Exchange a credential which proves your identity for a time-limited, cluster-specific access credential. - + Designed to be conveniently used as an credential plugin for kubectl. See the help message for 'pinniped get-kubeconfig' for more information about setting up a kubeconfig file using Pinniped. - + Requires all of the following environment variables, which are typically set in the kubeconfig: - PINNIPED_TOKEN: the token to send to Pinniped for exchange @@ -43,13 +63,17 @@ func init() { Pinniped's HTTPS endpoint - PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential exchange API - + For more information about credential plugins in general, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins `), } - rootCmd.AddCommand(exchangeCredentialCmd) + c.cmd.SetArgs(args) + c.cmd.SetOut(stdout) + c.cmd.SetErr(stderr) + + return c } type envGetter func(string) (string, bool) @@ -57,8 +81,8 @@ type tokenExchanger func(ctx context.Context, token, caBundle, apiEndpoint strin const ErrMissingEnvVar = constable.Error("failed to get credential: environment variable not set") -func runExchangeCredential(_ *cobra.Command, _ []string) { - err := exchangeCredential(os.LookupEnv, client.ExchangeToken, os.Stdout, 30*time.Second) +func runExchangeCredential(stdout, _ io.Writer) { + err := exchangeCredential(os.LookupEnv, client.ExchangeToken, stdout, 30*time.Second) if err != nil { _, _ = fmt.Fprintf(os.Stderr, "%s\n", err.Error()) os.Exit(1) diff --git a/cmd/pinniped/cmd/exchange_credential_test.go b/cmd/pinniped/cmd/exchange_credential_test.go index db8340203..0bf77bdc6 100644 --- a/cmd/pinniped/cmd/exchange_credential_test.go +++ b/cmd/pinniped/cmd/exchange_credential_test.go @@ -9,6 +9,7 @@ import ( "bytes" "context" "fmt" + "io" "testing" "time" @@ -18,9 +19,105 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" + "github.com/suzerain-io/pinniped/internal/here" "github.com/suzerain-io/pinniped/internal/testutil" ) +var ( + knownGoodUsageForExchangeCredential = here.Doc(` + Usage: + exchange-credential [flags] + + Flags: + -h, --help help for exchange-credential + + `) + + knownGoodHelpForExchangeCredential = here.Doc(` + Exchange a credential which proves your identity for a time-limited, + cluster-specific access credential. + + Designed to be conveniently used as an credential plugin for kubectl. + See the help message for 'pinniped get-kubeconfig' for more + information about setting up a kubeconfig file using Pinniped. + + Requires all of the following environment variables, which are + typically set in the kubeconfig: + - PINNIPED_TOKEN: the token to send to Pinniped for exchange + - PINNIPED_CA_BUNDLE: the CA bundle to trust when calling + Pinniped's HTTPS endpoint + - PINNIPED_K8S_API_ENDPOINT: the URL for the Pinniped credential + exchange API + + For more information about credential plugins in general, see + https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins + + Usage: + exchange-credential [flags] + + Flags: + -h, --help help for exchange-credential + `) +) + +func TestNewCredentialExchangeCmd(t *testing.T) { + spec.Run(t, "newCredentialExchangeCmd", func(t *testing.T, when spec.G, it spec.S) { + var r *require.Assertions + var stdout, stderr *bytes.Buffer + + it.Before(func() { + r = require.New(t) + + stdout, stderr = bytes.NewBuffer([]byte{}), bytes.NewBuffer([]byte{}) + }) + + it("calls runFunc and does not print usage or help when correct arguments and flags are used", func() { + c := newExchangeCredentialCmd([]string{}, stdout, stderr) + + runFuncCalled := false + c.runFunc = func(out, err io.Writer) { + runFuncCalled = true + } + + r.NoError(c.cmd.Execute()) + r.True(runFuncCalled) + r.Empty(stdout.String()) + r.Empty(stderr.String()) + }) + + it("fails when args are passed", func() { + c := newExchangeCredentialCmd([]string{"some-arg"}, stdout, stderr) + + runFuncCalled := false + c.runFunc = func(out, err io.Writer) { + runFuncCalled = true + } + + errorMessage := `unknown command "some-arg" for "exchange-credential"` + r.EqualError(c.cmd.Execute(), errorMessage) + r.False(runFuncCalled) + + output := "Error: " + errorMessage + "\n" + knownGoodUsageForExchangeCredential + r.Equal(output, stdout.String()) + r.Empty(stderr.String()) + }) + + it("prints a nice help message", func() { + c := newExchangeCredentialCmd([]string{"--help"}, stdout, stderr) + + runFuncCalled := false + c.runFunc = func(out, err io.Writer) { + runFuncCalled = true + } + + r.NoError(c.cmd.Execute()) + r.False(runFuncCalled) + r.Equal(knownGoodHelpForExchangeCredential, stdout.String()) + r.Empty(stderr.String()) + }) + }, spec.Parallel(), spec.Report(report.Terminal{})) +} + func TestExchangeCredential(t *testing.T) { spec.Run(t, "cmd.exchangeCredential", func(t *testing.T, when spec.G, it spec.S) { var r *require.Assertions diff --git a/cmd/pinniped/cmd/get_kubeconfig_test.go b/cmd/pinniped/cmd/get_kubeconfig_test.go index 87ad76589..06738998f 100644 --- a/cmd/pinniped/cmd/get_kubeconfig_test.go +++ b/cmd/pinniped/cmd/get_kubeconfig_test.go @@ -26,46 +26,47 @@ import ( "github.com/suzerain-io/pinniped/internal/here" ) -const ( - knownGoodUsage = ` -Usage: - get-kubeconfig [flags] +var ( + knownGoodUsageForGetKubeConfig = here.Doc(` + Usage: + get-kubeconfig [flags] -Flags: - -h, --help help for get-kubeconfig - --kubeconfig string Path to the kubeconfig file - --kubeconfig-context string Kubeconfig context override - --pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped") - --token string Credential to include in the resulting kubeconfig output (Required) + Flags: + -h, --help help for get-kubeconfig + --kubeconfig string Path to the kubeconfig file + --kubeconfig-context string Kubeconfig context override + --pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped") + --token string Credential to include in the resulting kubeconfig output (Required) -` + `) - knownGoodHelp = `Print a kubeconfig for authenticating into a cluster via Pinniped. + knownGoodHelpForGetKubeConfig = here.Doc(` + Print a kubeconfig for authenticating into a cluster via Pinniped. -Requires admin-like access to the cluster using the current -kubeconfig context in order to access Pinniped's metadata. -The current kubeconfig is found similar to how kubectl finds it: -using the value of the --kubeconfig option, or if that is not -specified then from the value of the KUBECONFIG environment -variable, or if that is not specified then it defaults to -.kube/config in your home directory. + Requires admin-like access to the cluster using the current + kubeconfig context in order to access Pinniped's metadata. + The current kubeconfig is found similar to how kubectl finds it: + using the value of the --kubeconfig option, or if that is not + specified then from the value of the KUBECONFIG environment + variable, or if that is not specified then it defaults to + .kube/config in your home directory. -Prints a kubeconfig which is suitable to access the cluster using -Pinniped as the authentication mechanism. This kubeconfig output -can be saved to a file and used with future kubectl commands, e.g.: - pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig - kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods + Prints a kubeconfig which is suitable to access the cluster using + Pinniped as the authentication mechanism. This kubeconfig output + can be saved to a file and used with future kubectl commands, e.g.: + pinniped get-kubeconfig --token $MY_TOKEN > $HOME/mycluster-kubeconfig + kubectl --kubeconfig $HOME/mycluster-kubeconfig get pods -Usage: - get-kubeconfig [flags] + Usage: + get-kubeconfig [flags] -Flags: - -h, --help help for get-kubeconfig - --kubeconfig string Path to the kubeconfig file - --kubeconfig-context string Kubeconfig context override - --pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped") - --token string Credential to include in the resulting kubeconfig output (Required) -` + Flags: + -h, --help help for get-kubeconfig + --kubeconfig string Path to the kubeconfig file + --kubeconfig-context string Kubeconfig context override + --pinniped-namespace string Namespace in which Pinniped was installed (default "pinniped") + --token string Credential to include in the resulting kubeconfig output (Required) + `) ) func TestNewGetKubeConfigCmd(t *testing.T) { @@ -126,7 +127,7 @@ func TestNewGetKubeConfigCmd(t *testing.T) { r.EqualError(c.cmd.Execute(), errorMessage) r.False(runFuncCalled) - output := "Error: " + errorMessage + knownGoodUsage + output := "Error: " + errorMessage + "\n" + knownGoodUsageForGetKubeConfig r.Equal(output, stdout.String()) r.Empty(stderr.String()) }) @@ -174,7 +175,7 @@ func TestNewGetKubeConfigCmd(t *testing.T) { r.EqualError(c.cmd.Execute(), errorMessage) r.False(runFuncCalled) - output := "Error: " + errorMessage + knownGoodUsage + output := "Error: " + errorMessage + "\n" + knownGoodUsageForGetKubeConfig r.Equal(output, stdout.String()) r.Empty(stderr.String()) }) @@ -195,7 +196,7 @@ func TestNewGetKubeConfigCmd(t *testing.T) { r.NoError(c.cmd.Execute()) r.False(runFuncCalled) - r.Equal(knownGoodHelp, stdout.String()) + r.Equal(knownGoodHelpForGetKubeConfig, stdout.String()) r.Empty(stderr.String()) }) }, spec.Parallel(), spec.Report(report.Terminal{})) From 9bb3d4ef28dc81099ddc330d83807519f7aada60 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 15 Sep 2020 11:22:35 -0500 Subject: [PATCH 13/32] Add .gitattributes as a hint to the GitHub diff viewer. Signed-off-by: Matt Moyer --- .gitattributes | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 000000000..cfe818449 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +*.go.tmpl linguist-language=Go +generated/** linguist-generated From 557fd0df26069b3c02fd62012a2d8733756fae14 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 1 Sep 2020 11:55:33 -0500 Subject: [PATCH 14/32] Define the WebhookIdentityProvider CRD. Signed-off-by: Matt Moyer --- apis/idp/doc.go.tmpl | 10 + apis/idp/v1alpha1/conversion.go.tmpl | 6 + apis/idp/v1alpha1/defaults.go.tmpl | 14 + apis/idp/v1alpha1/doc.go.tmpl | 14 + apis/idp/v1alpha1/register.go.tmpl | 45 ++++ apis/idp/v1alpha1/types_meta.go.tmpl | 77 ++++++ apis/idp/v1alpha1/types_tls.go.tmpl | 13 + apis/idp/v1alpha1/types_webhook.go.tmpl | 55 ++++ ...pinniped.dev_credentialissuerconfigs.yaml} | 0 ...pinniped.dev_webhookidentityproviders.yaml | 149 +++++++++++ generated/1.17/README.adoc | 105 ++++++++ generated/1.17/apis/idp/doc.go | 10 + .../1.17/apis/idp/v1alpha1/conversion.go | 6 + generated/1.17/apis/idp/v1alpha1/defaults.go | 14 + generated/1.17/apis/idp/v1alpha1/doc.go | 14 + generated/1.17/apis/idp/v1alpha1/register.go | 45 ++++ .../1.17/apis/idp/v1alpha1/types_meta.go | 77 ++++++ generated/1.17/apis/idp/v1alpha1/types_tls.go | 13 + .../1.17/apis/idp/v1alpha1/types_webhook.go | 55 ++++ .../idp/v1alpha1/zz_generated.conversion.go | 24 ++ .../idp/v1alpha1/zz_generated.deepcopy.go | 152 +++++++++++ .../idp/v1alpha1/zz_generated.defaults.go | 21 ++ .../1.17/apis/idp/zz_generated.deepcopy.go | 10 + .../client/clientset/versioned/clientset.go | 14 + .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/idp/v1alpha1/doc.go | 9 + .../versioned/typed/idp/v1alpha1/fake/doc.go | 9 + .../idp/v1alpha1/fake/fake_idp_client.go | 29 +++ .../fake/fake_webhookidentityprovider.go | 129 +++++++++ .../typed/idp/v1alpha1/generated_expansion.go | 10 + .../typed/idp/v1alpha1/idp_client.go | 78 ++++++ .../idp/v1alpha1/webhookidentityprovider.go | 180 +++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/idp/interface.go | 35 +++ .../idp/v1alpha1/interface.go | 34 +++ .../idp/v1alpha1/webhookidentityprovider.go | 78 ++++++ .../idp/v1alpha1/expansion_generated.go | 16 ++ .../idp/v1alpha1/webhookidentityprovider.go | 83 ++++++ .../client/openapi/zz_generated.openapi.go | 244 ++++++++++++++++++ ...pinniped.dev_webhookidentityproviders.yaml | 149 +++++++++++ generated/1.18/README.adoc | 105 ++++++++ generated/1.18/apis/idp/doc.go | 10 + .../1.18/apis/idp/v1alpha1/conversion.go | 6 + generated/1.18/apis/idp/v1alpha1/defaults.go | 14 + generated/1.18/apis/idp/v1alpha1/doc.go | 14 + generated/1.18/apis/idp/v1alpha1/register.go | 45 ++++ .../1.18/apis/idp/v1alpha1/types_meta.go | 77 ++++++ generated/1.18/apis/idp/v1alpha1/types_tls.go | 13 + .../1.18/apis/idp/v1alpha1/types_webhook.go | 55 ++++ .../idp/v1alpha1/zz_generated.conversion.go | 24 ++ .../idp/v1alpha1/zz_generated.deepcopy.go | 152 +++++++++++ .../idp/v1alpha1/zz_generated.defaults.go | 21 ++ .../1.18/apis/idp/zz_generated.deepcopy.go | 10 + .../client/clientset/versioned/clientset.go | 14 + .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/idp/v1alpha1/doc.go | 9 + .../versioned/typed/idp/v1alpha1/fake/doc.go | 9 + .../idp/v1alpha1/fake/fake_idp_client.go | 29 +++ .../fake/fake_webhookidentityprovider.go | 131 ++++++++++ .../typed/idp/v1alpha1/generated_expansion.go | 10 + .../typed/idp/v1alpha1/idp_client.go | 78 ++++++ .../idp/v1alpha1/webhookidentityprovider.go | 184 +++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/idp/interface.go | 35 +++ .../idp/v1alpha1/interface.go | 34 +++ .../idp/v1alpha1/webhookidentityprovider.go | 79 ++++++ .../idp/v1alpha1/expansion_generated.go | 16 ++ .../idp/v1alpha1/webhookidentityprovider.go | 83 ++++++ .../client/openapi/zz_generated.openapi.go | 244 ++++++++++++++++++ ...pinniped.dev_webhookidentityproviders.yaml | 149 +++++++++++ generated/1.19/README.adoc | 105 ++++++++ generated/1.19/apis/idp/doc.go | 10 + .../1.19/apis/idp/v1alpha1/conversion.go | 6 + generated/1.19/apis/idp/v1alpha1/defaults.go | 14 + generated/1.19/apis/idp/v1alpha1/doc.go | 14 + generated/1.19/apis/idp/v1alpha1/register.go | 45 ++++ .../1.19/apis/idp/v1alpha1/types_meta.go | 77 ++++++ generated/1.19/apis/idp/v1alpha1/types_tls.go | 13 + .../1.19/apis/idp/v1alpha1/types_webhook.go | 55 ++++ .../idp/v1alpha1/zz_generated.conversion.go | 66 +++++ .../idp/v1alpha1/zz_generated.deepcopy.go | 152 +++++++++++ .../idp/v1alpha1/zz_generated.defaults.go | 21 ++ .../1.19/apis/idp/zz_generated.deepcopy.go | 10 + .../client/clientset/versioned/clientset.go | 14 + .../versioned/fake/clientset_generated.go | 7 + .../clientset/versioned/fake/register.go | 2 + .../clientset/versioned/scheme/register.go | 2 + .../versioned/typed/idp/v1alpha1/doc.go | 9 + .../versioned/typed/idp/v1alpha1/fake/doc.go | 9 + .../idp/v1alpha1/fake/fake_idp_client.go | 29 +++ .../fake/fake_webhookidentityprovider.go | 131 ++++++++++ .../typed/idp/v1alpha1/generated_expansion.go | 10 + .../typed/idp/v1alpha1/idp_client.go | 78 ++++++ .../idp/v1alpha1/webhookidentityprovider.go | 184 +++++++++++++ .../informers/externalversions/factory.go | 6 + .../informers/externalversions/generic.go | 5 + .../externalversions/idp/interface.go | 35 +++ .../idp/v1alpha1/interface.go | 34 +++ .../idp/v1alpha1/webhookidentityprovider.go | 79 ++++++ .../idp/v1alpha1/expansion_generated.go | 16 ++ .../idp/v1alpha1/webhookidentityprovider.go | 88 +++++++ .../client/openapi/zz_generated.openapi.go | 244 ++++++++++++++++++ ...pinniped.dev_webhookidentityproviders.yaml | 149 +++++++++++ hack/lib/docs/config.yaml | 1 + hack/lib/update-codegen.sh | 7 +- hack/update.sh | 2 +- 112 files changed, 5445 insertions(+), 4 deletions(-) create mode 100644 apis/idp/doc.go.tmpl create mode 100644 apis/idp/v1alpha1/conversion.go.tmpl create mode 100644 apis/idp/v1alpha1/defaults.go.tmpl create mode 100644 apis/idp/v1alpha1/doc.go.tmpl create mode 100644 apis/idp/v1alpha1/register.go.tmpl create mode 100644 apis/idp/v1alpha1/types_meta.go.tmpl create mode 100644 apis/idp/v1alpha1/types_tls.go.tmpl create mode 100644 apis/idp/v1alpha1/types_webhook.go.tmpl rename deploy/{crd.yaml => crd.pinniped.dev_credentialissuerconfigs.yaml} (100%) create mode 100644 deploy/idp.pinniped.dev_webhookidentityproviders.yaml create mode 100644 generated/1.17/apis/idp/doc.go create mode 100644 generated/1.17/apis/idp/v1alpha1/conversion.go create mode 100644 generated/1.17/apis/idp/v1alpha1/defaults.go create mode 100644 generated/1.17/apis/idp/v1alpha1/doc.go create mode 100644 generated/1.17/apis/idp/v1alpha1/register.go create mode 100644 generated/1.17/apis/idp/v1alpha1/types_meta.go create mode 100644 generated/1.17/apis/idp/v1alpha1/types_tls.go create mode 100644 generated/1.17/apis/idp/v1alpha1/types_webhook.go create mode 100644 generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.17/apis/idp/zz_generated.deepcopy.go create mode 100644 generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go create mode 100644 generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go create mode 100644 generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go create mode 100644 generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go create mode 100644 generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go create mode 100644 generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go create mode 100644 generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.17/client/informers/externalversions/idp/interface.go create mode 100644 generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go create mode 100644 generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go create mode 100644 generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml create mode 100644 generated/1.18/apis/idp/doc.go create mode 100644 generated/1.18/apis/idp/v1alpha1/conversion.go create mode 100644 generated/1.18/apis/idp/v1alpha1/defaults.go create mode 100644 generated/1.18/apis/idp/v1alpha1/doc.go create mode 100644 generated/1.18/apis/idp/v1alpha1/register.go create mode 100644 generated/1.18/apis/idp/v1alpha1/types_meta.go create mode 100644 generated/1.18/apis/idp/v1alpha1/types_tls.go create mode 100644 generated/1.18/apis/idp/v1alpha1/types_webhook.go create mode 100644 generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.18/apis/idp/zz_generated.deepcopy.go create mode 100644 generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go create mode 100644 generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go create mode 100644 generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go create mode 100644 generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go create mode 100644 generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go create mode 100644 generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go create mode 100644 generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.18/client/informers/externalversions/idp/interface.go create mode 100644 generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go create mode 100644 generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go create mode 100644 generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml create mode 100644 generated/1.19/apis/idp/doc.go create mode 100644 generated/1.19/apis/idp/v1alpha1/conversion.go create mode 100644 generated/1.19/apis/idp/v1alpha1/defaults.go create mode 100644 generated/1.19/apis/idp/v1alpha1/doc.go create mode 100644 generated/1.19/apis/idp/v1alpha1/register.go create mode 100644 generated/1.19/apis/idp/v1alpha1/types_meta.go create mode 100644 generated/1.19/apis/idp/v1alpha1/types_tls.go create mode 100644 generated/1.19/apis/idp/v1alpha1/types_webhook.go create mode 100644 generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go create mode 100644 generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go create mode 100644 generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go create mode 100644 generated/1.19/apis/idp/zz_generated.deepcopy.go create mode 100644 generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go create mode 100644 generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go create mode 100644 generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go create mode 100644 generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go create mode 100644 generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go create mode 100644 generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go create mode 100644 generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.19/client/informers/externalversions/idp/interface.go create mode 100644 generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go create mode 100644 generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go create mode 100644 generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go create mode 100644 generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml diff --git a/apis/idp/doc.go.tmpl b/apis/idp/doc.go.tmpl new file mode 100644 index 000000000..b7689b2b9 --- /dev/null +++ b/apis/idp/doc.go.tmpl @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:deepcopy-gen=package +// +groupName=idp.pinniped.dev + +// Package idp is the internal version of the Pinniped identity provider API. +package idp diff --git a/apis/idp/v1alpha1/conversion.go.tmpl b/apis/idp/v1alpha1/conversion.go.tmpl new file mode 100644 index 000000000..63bc360fe --- /dev/null +++ b/apis/idp/v1alpha1/conversion.go.tmpl @@ -0,0 +1,6 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 diff --git a/apis/idp/v1alpha1/defaults.go.tmpl b/apis/idp/v1alpha1/defaults.go.tmpl new file mode 100644 index 000000000..ba08404de --- /dev/null +++ b/apis/idp/v1alpha1/defaults.go.tmpl @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/apis/idp/v1alpha1/doc.go.tmpl b/apis/idp/v1alpha1/doc.go.tmpl new file mode 100644 index 000000000..2fc5b55c2 --- /dev/null +++ b/apis/idp/v1alpha1/doc.go.tmpl @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=github.com/suzerain-io/pinniped/GENERATED_PKG/apis/idp +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. +package v1alpha1 diff --git a/apis/idp/v1alpha1/register.go.tmpl b/apis/idp/v1alpha1/register.go.tmpl new file mode 100644 index 000000000..b7878a213 --- /dev/null +++ b/apis/idp/v1alpha1/register.go.tmpl @@ -0,0 +1,45 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookIdentityProvider{}, + &WebhookIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/apis/idp/v1alpha1/types_meta.go.tmpl b/apis/idp/v1alpha1/types_meta.go.tmpl new file mode 100644 index 000000000..fe4a5c252 --- /dev/null +++ b/apis/idp/v1alpha1/types_meta.go.tmpl @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/apis/idp/v1alpha1/types_tls.go.tmpl b/apis/idp/v1alpha1/types_tls.go.tmpl new file mode 100644 index 000000000..64f355e63 --- /dev/null +++ b/apis/idp/v1alpha1/types_tls.go.tmpl @@ -0,0 +1,13 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +// Configuration for configuring TLS on various identity providers. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/apis/idp/v1alpha1/types_webhook.go.tmpl b/apis/idp/v1alpha1/types_webhook.go.tmpl new file mode 100644 index 000000000..046a16cbd --- /dev/null +++ b/apis/idp/v1alpha1/types_webhook.go.tmpl @@ -0,0 +1,55 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Status of a webhook identity provider. +type WebhookIdentityProviderStatus struct { + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// Spec for configuring a webhook identity provider. +type WebhookIdentityProviderSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +type WebhookIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec WebhookIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status WebhookIdentityProviderStatus `json:"status,omitempty"` +} + +// List of WebhookIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookIdentityProvider `json:"items"` +} diff --git a/deploy/crd.yaml b/deploy/crd.pinniped.dev_credentialissuerconfigs.yaml similarity index 100% rename from deploy/crd.yaml rename to deploy/crd.pinniped.dev_credentialissuerconfigs.yaml diff --git a/deploy/idp.pinniped.dev_webhookidentityproviders.yaml b/deploy/idp.pinniped.dev_webhookidentityproviders.yaml new file mode 100644 index 000000000..213b7ad20 --- /dev/null +++ b/deploy/idp.pinniped.dev_webhookidentityproviders.yaml @@ -0,0 +1,149 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: webhookidentityproviders.idp.pinniped.dev +spec: + group: idp.pinniped.dev + names: + categories: + - all + - idp + - idps + kind: WebhookIdentityProvider + listKind: WebhookIdentityProviderList + plural: webhookidentityproviders + shortNames: + - webhookidp + - webhookidps + singular: webhookidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookIdentityProvider describes the configuration of a Pinniped + webhook identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 44028a1dc..9d6cf898f 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -6,6 +6,7 @@ .Packages - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$] @@ -95,6 +96,110 @@ Status of a credential issuer. +[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"] +=== idp.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for configuring TLS on various identity providers. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider"] +==== WebhookIdentityProvider + +WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderspec"] +==== WebhookIdentityProviderSpec + +Spec for configuring a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`endpoint`* __string__ | Webhook server endpoint URL. +| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityproviderstatus"] +==== WebhookIdentityProviderStatus + +Status of a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-pinniped-dev-v1alpha1"] === pinniped.dev/v1alpha1 diff --git a/generated/1.17/apis/idp/doc.go b/generated/1.17/apis/idp/doc.go new file mode 100644 index 000000000..b7689b2b9 --- /dev/null +++ b/generated/1.17/apis/idp/doc.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:deepcopy-gen=package +// +groupName=idp.pinniped.dev + +// Package idp is the internal version of the Pinniped identity provider API. +package idp diff --git a/generated/1.17/apis/idp/v1alpha1/conversion.go b/generated/1.17/apis/idp/v1alpha1/conversion.go new file mode 100644 index 000000000..63bc360fe --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/conversion.go @@ -0,0 +1,6 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 diff --git a/generated/1.17/apis/idp/v1alpha1/defaults.go b/generated/1.17/apis/idp/v1alpha1/defaults.go new file mode 100644 index 000000000..ba08404de --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/defaults.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.17/apis/idp/v1alpha1/doc.go b/generated/1.17/apis/idp/v1alpha1/doc.go new file mode 100644 index 000000000..5c4eeaadb --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/doc.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.17/apis/idp +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. +package v1alpha1 diff --git a/generated/1.17/apis/idp/v1alpha1/register.go b/generated/1.17/apis/idp/v1alpha1/register.go new file mode 100644 index 000000000..b7878a213 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/register.go @@ -0,0 +1,45 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookIdentityProvider{}, + &WebhookIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.17/apis/idp/v1alpha1/types_meta.go b/generated/1.17/apis/idp/v1alpha1/types_meta.go new file mode 100644 index 000000000..fe4a5c252 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/types_meta.go @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.17/apis/idp/v1alpha1/types_tls.go b/generated/1.17/apis/idp/v1alpha1/types_tls.go new file mode 100644 index 000000000..64f355e63 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/types_tls.go @@ -0,0 +1,13 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +// Configuration for configuring TLS on various identity providers. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.17/apis/idp/v1alpha1/types_webhook.go b/generated/1.17/apis/idp/v1alpha1/types_webhook.go new file mode 100644 index 000000000..046a16cbd --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/types_webhook.go @@ -0,0 +1,55 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Status of a webhook identity provider. +type WebhookIdentityProviderStatus struct { + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// Spec for configuring a webhook identity provider. +type WebhookIdentityProviderSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +type WebhookIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec WebhookIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status WebhookIdentityProviderStatus `json:"status,omitempty"` +} + +// List of WebhookIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookIdentityProvider `json:"items"` +} diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go new file mode 100644 index 000000000..f39942f82 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,24 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + return nil +} diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 000000000..29ed1e8e7 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,152 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider. +func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider { + if in == nil { + return nil + } + out := new(WebhookIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]WebhookIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList. +func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec. +func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus. +func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go new file mode 100644 index 000000000..1612aa4d6 --- /dev/null +++ b/generated/1.17/apis/idp/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,21 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.17/apis/idp/zz_generated.deepcopy.go b/generated/1.17/apis/idp/zz_generated.deepcopy.go new file mode 100644 index 000000000..0869390d3 --- /dev/null +++ b/generated/1.17/apis/idp/zz_generated.deepcopy.go @@ -0,0 +1,10 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package idp diff --git a/generated/1.17/client/clientset/versioned/clientset.go b/generated/1.17/client/clientset/versioned/clientset.go index b383ee3b6..3c7fd8a5e 100644 --- a/generated/1.17/client/clientset/versioned/clientset.go +++ b/generated/1.17/client/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( "fmt" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" @@ -20,6 +21,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface } @@ -28,6 +30,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient crdV1alpha1 *crdv1alpha1.CrdV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client } @@ -36,6 +39,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return c.crdV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return c.pinnipedV1alpha1 @@ -66,6 +74,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -83,6 +95,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) @@ -93,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) diff --git a/generated/1.17/client/clientset/versioned/fake/clientset_generated.go b/generated/1.17/client/clientset/versioned/fake/clientset_generated.go index 037f6b271..50fb438f4 100644 --- a/generated/1.17/client/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.17/client/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( clientset "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1" fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1" fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/pinniped/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" @@ -72,6 +74,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return &fakecrdv1alpha1.FakeCrdV1alpha1{Fake: &c.Fake} } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake} diff --git a/generated/1.17/client/clientset/versioned/fake/register.go b/generated/1.17/client/clientset/versioned/fake/register.go index 870a40fc1..4aaf5bc08 100644 --- a/generated/1.17/client/clientset/versioned/fake/register.go +++ b/generated/1.17/client/clientset/versioned/fake/register.go @@ -9,6 +9,7 @@ package fake import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme) var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.17/client/clientset/versioned/scheme/register.go b/generated/1.17/client/clientset/versioned/scheme/register.go index db9ab47f7..0c0f370f5 100644 --- a/generated/1.17/client/clientset/versioned/scheme/register.go +++ b/generated/1.17/client/clientset/versioned/scheme/register.go @@ -9,6 +9,7 @@ package scheme import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 000000000..40c99ba8e --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 000000000..d51c7ce76 --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 000000000..c2218c54f --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,29 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface { + return &FakeWebhookIdentityProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go new file mode 100644 index 000000000..d95c4173d --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go @@ -0,0 +1,129 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface +type FakeWebhookIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"} + +var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *FakeWebhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *FakeWebhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *FakeWebhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeWebhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeWebhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeWebhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOptions) + + _, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *FakeWebhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 000000000..bd61370a8 --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type WebhookIdentityProviderExpansion interface{} diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 000000000..e1f7eb1e2 --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,78 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + WebhookIdentityProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface { + return newWebhookIdentityProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..ea52e30d1 --- /dev/null +++ b/generated/1.17/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,180 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "time" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + scheme "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface. +// A group's client should implement this interface. +type WebhookIdentityProvidersGetter interface { + WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface +} + +// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources. +type WebhookIdentityProviderInterface interface { + Create(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) + Update(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) + UpdateStatus(*v1alpha1.WebhookIdentityProvider) (*v1alpha1.WebhookIdentityProvider, error) + Delete(name string, options *v1.DeleteOptions) error + DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error + Get(name string, options v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error) + List(opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error) + Watch(opts v1.ListOptions) (watch.Interface, error) + Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) + WebhookIdentityProviderExpansion +} + +// webhookIdentityProviders implements WebhookIdentityProviderInterface +type webhookIdentityProviders struct { + client rest.Interface + ns string +} + +// newWebhookIdentityProviders returns a WebhookIdentityProviders +func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders { + return &webhookIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *webhookIdentityProviders) Get(name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *webhookIdentityProviders) List(opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.WebhookIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *webhookIdentityProviders) Watch(opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch() +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Create(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Body(webhookIdentityProvider). + Do(). + Into(result) + return +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Update(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + Body(webhookIdentityProvider). + Do(). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). + +func (c *webhookIdentityProviders) UpdateStatus(webhookIdentityProvider *v1alpha1.WebhookIdentityProvider) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + SubResource("status"). + Body(webhookIdentityProvider). + Do(). + Into(result) + return +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *webhookIdentityProviders) Delete(name string, options *v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + Body(options). + Do(). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *webhookIdentityProviders) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error { + var timeout time.Duration + if listOptions.TimeoutSeconds != nil { + timeout = time.Duration(*listOptions.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&listOptions, scheme.ParameterCodec). + Timeout(timeout). + Body(options). + Do(). + Error() +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *webhookIdentityProviders) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("webhookidentityproviders"). + SubResource(subresources...). + Name(name). + Body(data). + Do(). + Into(result) + return +} diff --git a/generated/1.17/client/informers/externalversions/factory.go b/generated/1.17/client/informers/externalversions/factory.go index d8dcbc661..334b9895f 100644 --- a/generated/1.17/client/informers/externalversions/factory.go +++ b/generated/1.17/client/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( versioned "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned" crdpinniped "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/crdpinniped" + idp "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/idp" internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces" pinniped "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/pinniped" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -163,6 +164,7 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Crd() crdpinniped.Interface + IDP() idp.Interface Pinniped() pinniped.Interface } @@ -170,6 +172,10 @@ func (f *sharedInformerFactory) Crd() crdpinniped.Interface { return crdpinniped.New(f, f.namespace, f.tweakListOptions) } +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} + func (f *sharedInformerFactory) Pinniped() pinniped.Interface { return pinniped.New(f, f.namespace, f.tweakListOptions) } diff --git a/generated/1.17/client/informers/externalversions/generic.go b/generated/1.17/client/informers/externalversions/generic.go index 2f3625039..a1e05321c 100644 --- a/generated/1.17/client/informers/externalversions/generic.go +++ b/generated/1.17/client/informers/externalversions/generic.go @@ -11,6 +11,7 @@ import ( "fmt" v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" @@ -46,6 +47,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().CredentialIssuerConfigs().Informer()}, nil + // Group=idp.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil + // Group=pinniped.dev, Version=v1alpha1 case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"): return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil diff --git a/generated/1.17/client/informers/externalversions/idp/interface.go b/generated/1.17/client/informers/externalversions/idp/interface.go new file mode 100644 index 000000000..3fbbb292e --- /dev/null +++ b/generated/1.17/client/informers/externalversions/idp/interface.go @@ -0,0 +1,35 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/idp/v1alpha1" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 000000000..f30b988e6 --- /dev/null +++ b/generated/1.17/client/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,34 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // WebhookIdentityProviders returns a WebhookIdentityProviderInformer. + WebhookIdentityProviders() WebhookIdentityProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// WebhookIdentityProviders returns a WebhookIdentityProviderInformer. +func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer { + return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..c1b6587e5 --- /dev/null +++ b/generated/1.17/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,78 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + time "time" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + versioned "github.com/suzerain-io/pinniped/generated/1.17/client/clientset/versioned" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.17/client/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/client/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderInformer provides access to a shared informer and lister for +// WebhookIdentityProviders. +type WebhookIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.WebhookIdentityProviderLister +} + +type webhookIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(options) + }, + }, + &idpv1alpha1.WebhookIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer) +} + +func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister { + return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 000000000..61d85cbee --- /dev/null +++ b/generated/1.17/client/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,16 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// WebhookIdentityProviderListerExpansion allows custom methods to be added to +// WebhookIdentityProviderLister. +type WebhookIdentityProviderListerExpansion interface{} + +// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// WebhookIdentityProviderNamespaceLister. +type WebhookIdentityProviderNamespaceListerExpansion interface{} diff --git a/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..d7107c009 --- /dev/null +++ b/generated/1.17/client/listers/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,83 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderLister helps list WebhookIdentityProviders. +type WebhookIdentityProviderLister interface { + // List lists all WebhookIdentityProviders in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. + WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister + WebhookIdentityProviderListerExpansion +} + +// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface. +type webhookIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister. +func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister { + return &webhookIdentityProviderLister{indexer: indexer} +} + +// List lists all WebhookIdentityProviders in the indexer. +func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. +func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister { + return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders. +type WebhookIdentityProviderNamespaceLister interface { + // List lists all WebhookIdentityProviders in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.WebhookIdentityProvider, error) + WebhookIdentityProviderNamespaceListerExpansion +} + +// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister +// interface. +type webhookIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all WebhookIdentityProviders in the indexer for a given namespace. +func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. +func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name) + } + return obj.(*v1alpha1.WebhookIdentityProvider), nil +} diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go index 7f3e64395..d74a7c8f0 100644 --- a/generated/1.17/client/openapi/zz_generated.openapi.go +++ b/generated/1.17/client/openapi/zz_generated.openapi.go @@ -24,6 +24,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigList": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigList(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStrategy": schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition": schema_117_apis_idp_v1alpha1_Condition(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec": schema_117_apis_idp_v1alpha1_TLSSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider": schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderList": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus": schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequest": schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequestCredential": schema_117_apis_pinniped_v1alpha1_CredentialRequestCredential(ref), "github.com/suzerain-io/pinniped/generated/1.17/apis/pinniped/v1alpha1.CredentialRequestList": schema_117_apis_pinniped_v1alpha1_CredentialRequestList(ref), @@ -283,6 +289,244 @@ func schema_117_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com } } +func schema_117_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type of condition in CamelCase or in foo.example.com/CamelCase.", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status of the condition, one of True, False, Unknown.", + Type: []string{"string"}, + Format: "", + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message is a human readable message indicating details about the transition. This may be an empty string.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "status", "lastTransitionTime", "reason", "message"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_117_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Configuration for configuring TLS on various identity providers.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateAuthorityData": { + SchemaProps: spec.SchemaProps{ + Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_117_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Status of the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "List of WebhookIdentityProvider objects.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "endpoint": { + SchemaProps: spec.SchemaProps{ + Description: "Webhook server endpoint URL.", + Type: []string{"string"}, + Format: "", + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "TLS configuration.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec"), + }, + }, + }, + Required: []string{"endpoint"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.TLSSpec"}, + } +} + +func schema_117_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Status of a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Represents the observations of an identity provider's current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.17/apis/idp/v1alpha1.Condition"}, + } +} + func schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml new file mode 100644 index 000000000..213b7ad20 --- /dev/null +++ b/generated/1.17/crds/idp.pinniped.dev_webhookidentityproviders.yaml @@ -0,0 +1,149 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: webhookidentityproviders.idp.pinniped.dev +spec: + group: idp.pinniped.dev + names: + categories: + - all + - idp + - idps + kind: WebhookIdentityProvider + listKind: WebhookIdentityProviderList + plural: webhookidentityproviders + shortNames: + - webhookidp + - webhookidps + singular: webhookidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookIdentityProvider describes the configuration of a Pinniped + webhook identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index 99e78c4ae..e78c5cd8a 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -6,6 +6,7 @@ .Packages - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$] @@ -95,6 +96,110 @@ Status of a credential issuer. +[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"] +=== idp.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for configuring TLS on various identity providers. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider"] +==== WebhookIdentityProvider + +WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderspec"] +==== WebhookIdentityProviderSpec + +Spec for configuring a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`endpoint`* __string__ | Webhook server endpoint URL. +| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityproviderstatus"] +==== WebhookIdentityProviderStatus + +Status of a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-pinniped-dev-v1alpha1"] === pinniped.dev/v1alpha1 diff --git a/generated/1.18/apis/idp/doc.go b/generated/1.18/apis/idp/doc.go new file mode 100644 index 000000000..b7689b2b9 --- /dev/null +++ b/generated/1.18/apis/idp/doc.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:deepcopy-gen=package +// +groupName=idp.pinniped.dev + +// Package idp is the internal version of the Pinniped identity provider API. +package idp diff --git a/generated/1.18/apis/idp/v1alpha1/conversion.go b/generated/1.18/apis/idp/v1alpha1/conversion.go new file mode 100644 index 000000000..63bc360fe --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/conversion.go @@ -0,0 +1,6 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 diff --git a/generated/1.18/apis/idp/v1alpha1/defaults.go b/generated/1.18/apis/idp/v1alpha1/defaults.go new file mode 100644 index 000000000..ba08404de --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/defaults.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.18/apis/idp/v1alpha1/doc.go b/generated/1.18/apis/idp/v1alpha1/doc.go new file mode 100644 index 000000000..a6ef10151 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/doc.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.18/apis/idp +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. +package v1alpha1 diff --git a/generated/1.18/apis/idp/v1alpha1/register.go b/generated/1.18/apis/idp/v1alpha1/register.go new file mode 100644 index 000000000..b7878a213 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/register.go @@ -0,0 +1,45 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookIdentityProvider{}, + &WebhookIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.18/apis/idp/v1alpha1/types_meta.go b/generated/1.18/apis/idp/v1alpha1/types_meta.go new file mode 100644 index 000000000..fe4a5c252 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/types_meta.go @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.18/apis/idp/v1alpha1/types_tls.go b/generated/1.18/apis/idp/v1alpha1/types_tls.go new file mode 100644 index 000000000..64f355e63 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/types_tls.go @@ -0,0 +1,13 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +// Configuration for configuring TLS on various identity providers. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.18/apis/idp/v1alpha1/types_webhook.go b/generated/1.18/apis/idp/v1alpha1/types_webhook.go new file mode 100644 index 000000000..046a16cbd --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/types_webhook.go @@ -0,0 +1,55 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Status of a webhook identity provider. +type WebhookIdentityProviderStatus struct { + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// Spec for configuring a webhook identity provider. +type WebhookIdentityProviderSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +type WebhookIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec WebhookIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status WebhookIdentityProviderStatus `json:"status,omitempty"` +} + +// List of WebhookIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookIdentityProvider `json:"items"` +} diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go new file mode 100644 index 000000000..f39942f82 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,24 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + return nil +} diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 000000000..29ed1e8e7 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,152 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider. +func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider { + if in == nil { + return nil + } + out := new(WebhookIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]WebhookIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList. +func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec. +func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus. +func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go new file mode 100644 index 000000000..1612aa4d6 --- /dev/null +++ b/generated/1.18/apis/idp/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,21 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.18/apis/idp/zz_generated.deepcopy.go b/generated/1.18/apis/idp/zz_generated.deepcopy.go new file mode 100644 index 000000000..0869390d3 --- /dev/null +++ b/generated/1.18/apis/idp/zz_generated.deepcopy.go @@ -0,0 +1,10 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package idp diff --git a/generated/1.18/client/clientset/versioned/clientset.go b/generated/1.18/client/clientset/versioned/clientset.go index eea8d7272..0ba43fa01 100644 --- a/generated/1.18/client/clientset/versioned/clientset.go +++ b/generated/1.18/client/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( "fmt" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" @@ -20,6 +21,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface } @@ -28,6 +30,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient crdV1alpha1 *crdv1alpha1.CrdV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client } @@ -36,6 +39,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return c.crdV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return c.pinnipedV1alpha1 @@ -66,6 +74,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -83,6 +95,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) @@ -93,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) diff --git a/generated/1.18/client/clientset/versioned/fake/clientset_generated.go b/generated/1.18/client/clientset/versioned/fake/clientset_generated.go index 2d456ffb5..d5f54f632 100644 --- a/generated/1.18/client/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.18/client/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( clientset "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1" fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1" fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/pinniped/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" @@ -72,6 +74,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return &fakecrdv1alpha1.FakeCrdV1alpha1{Fake: &c.Fake} } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake} diff --git a/generated/1.18/client/clientset/versioned/fake/register.go b/generated/1.18/client/clientset/versioned/fake/register.go index a247e760a..d18a2f511 100644 --- a/generated/1.18/client/clientset/versioned/fake/register.go +++ b/generated/1.18/client/clientset/versioned/fake/register.go @@ -9,6 +9,7 @@ package fake import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme) var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.18/client/clientset/versioned/scheme/register.go b/generated/1.18/client/clientset/versioned/scheme/register.go index 41b989c8e..988170d1b 100644 --- a/generated/1.18/client/clientset/versioned/scheme/register.go +++ b/generated/1.18/client/clientset/versioned/scheme/register.go @@ -9,6 +9,7 @@ package scheme import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 000000000..40c99ba8e --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 000000000..d51c7ce76 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 000000000..234859902 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,29 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface { + return &FakeWebhookIdentityProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go new file mode 100644 index 000000000..828d35011 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go @@ -0,0 +1,131 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface +type FakeWebhookIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"} + +var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 000000000..bd61370a8 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type WebhookIdentityProviderExpansion interface{} diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 000000000..eebbf121c --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,78 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + WebhookIdentityProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface { + return newWebhookIdentityProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..8d6c2f500 --- /dev/null +++ b/generated/1.18/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,184 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + scheme "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface. +// A group's client should implement this interface. +type WebhookIdentityProvidersGetter interface { + WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface +} + +// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources. +type WebhookIdentityProviderInterface interface { + Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error) + Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) + UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) + WebhookIdentityProviderExpansion +} + +// webhookIdentityProviders implements WebhookIdentityProviderInterface +type webhookIdentityProviders struct { + client rest.Interface + ns string +} + +// newWebhookIdentityProviders returns a WebhookIdentityProviders +func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders { + return &webhookIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.WebhookIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.18/client/informers/externalversions/factory.go b/generated/1.18/client/informers/externalversions/factory.go index 4158afea0..95d174a77 100644 --- a/generated/1.18/client/informers/externalversions/factory.go +++ b/generated/1.18/client/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( versioned "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned" crdpinniped "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/crdpinniped" + idp "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/idp" internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces" pinniped "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/pinniped" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -163,6 +164,7 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Crd() crdpinniped.Interface + IDP() idp.Interface Pinniped() pinniped.Interface } @@ -170,6 +172,10 @@ func (f *sharedInformerFactory) Crd() crdpinniped.Interface { return crdpinniped.New(f, f.namespace, f.tweakListOptions) } +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} + func (f *sharedInformerFactory) Pinniped() pinniped.Interface { return pinniped.New(f, f.namespace, f.tweakListOptions) } diff --git a/generated/1.18/client/informers/externalversions/generic.go b/generated/1.18/client/informers/externalversions/generic.go index e2db3b46b..5d8fa30f3 100644 --- a/generated/1.18/client/informers/externalversions/generic.go +++ b/generated/1.18/client/informers/externalversions/generic.go @@ -11,6 +11,7 @@ import ( "fmt" v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" @@ -46,6 +47,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().CredentialIssuerConfigs().Informer()}, nil + // Group=idp.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil + // Group=pinniped.dev, Version=v1alpha1 case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"): return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil diff --git a/generated/1.18/client/informers/externalversions/idp/interface.go b/generated/1.18/client/informers/externalversions/idp/interface.go new file mode 100644 index 000000000..ce1701988 --- /dev/null +++ b/generated/1.18/client/informers/externalversions/idp/interface.go @@ -0,0 +1,35 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/idp/v1alpha1" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 000000000..f8bdc5766 --- /dev/null +++ b/generated/1.18/client/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,34 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // WebhookIdentityProviders returns a WebhookIdentityProviderInformer. + WebhookIdentityProviders() WebhookIdentityProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// WebhookIdentityProviders returns a WebhookIdentityProviderInformer. +func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer { + return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..609951dbc --- /dev/null +++ b/generated/1.18/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,79 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + versioned "github.com/suzerain-io/pinniped/generated/1.18/client/clientset/versioned" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.18/client/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/client/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderInformer provides access to a shared informer and lister for +// WebhookIdentityProviders. +type WebhookIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.WebhookIdentityProviderLister +} + +type webhookIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.WebhookIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer) +} + +func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister { + return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 000000000..61d85cbee --- /dev/null +++ b/generated/1.18/client/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,16 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// WebhookIdentityProviderListerExpansion allows custom methods to be added to +// WebhookIdentityProviderLister. +type WebhookIdentityProviderListerExpansion interface{} + +// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// WebhookIdentityProviderNamespaceLister. +type WebhookIdentityProviderNamespaceListerExpansion interface{} diff --git a/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..6014a7b3c --- /dev/null +++ b/generated/1.18/client/listers/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,83 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderLister helps list WebhookIdentityProviders. +type WebhookIdentityProviderLister interface { + // List lists all WebhookIdentityProviders in the indexer. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. + WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister + WebhookIdentityProviderListerExpansion +} + +// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface. +type webhookIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister. +func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister { + return &webhookIdentityProviderLister{indexer: indexer} +} + +// List lists all WebhookIdentityProviders in the indexer. +func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. +func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister { + return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders. +type WebhookIdentityProviderNamespaceLister interface { + // List lists all WebhookIdentityProviders in the indexer for a given namespace. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. + Get(name string) (*v1alpha1.WebhookIdentityProvider, error) + WebhookIdentityProviderNamespaceListerExpansion +} + +// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister +// interface. +type webhookIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all WebhookIdentityProviders in the indexer for a given namespace. +func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. +func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name) + } + return obj.(*v1alpha1.WebhookIdentityProvider), nil +} diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go index 564319afe..89ffed825 100644 --- a/generated/1.18/client/openapi/zz_generated.openapi.go +++ b/generated/1.18/client/openapi/zz_generated.openapi.go @@ -24,6 +24,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigList": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigList(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStrategy": schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition": schema_118_apis_idp_v1alpha1_Condition(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec": schema_118_apis_idp_v1alpha1_TLSSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider": schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderList": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus": schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequest": schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequestCredential": schema_118_apis_pinniped_v1alpha1_CredentialRequestCredential(ref), "github.com/suzerain-io/pinniped/generated/1.18/apis/pinniped/v1alpha1.CredentialRequestList": schema_118_apis_pinniped_v1alpha1_CredentialRequestList(ref), @@ -283,6 +289,244 @@ func schema_118_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com } } +func schema_118_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type of condition in CamelCase or in foo.example.com/CamelCase.", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status of the condition, one of True, False, Unknown.", + Type: []string{"string"}, + Format: "", + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message is a human readable message indicating details about the transition. This may be an empty string.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "status", "lastTransitionTime", "reason", "message"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_118_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Configuration for configuring TLS on various identity providers.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateAuthorityData": { + SchemaProps: spec.SchemaProps{ + Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_118_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Status of the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "List of WebhookIdentityProvider objects.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "endpoint": { + SchemaProps: spec.SchemaProps{ + Description: "Webhook server endpoint URL.", + Type: []string{"string"}, + Format: "", + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "TLS configuration.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec"), + }, + }, + }, + Required: []string{"endpoint"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.TLSSpec"}, + } +} + +func schema_118_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Status of a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Represents the observations of an identity provider's current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.18/apis/idp/v1alpha1.Condition"}, + } +} + func schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml new file mode 100644 index 000000000..213b7ad20 --- /dev/null +++ b/generated/1.18/crds/idp.pinniped.dev_webhookidentityproviders.yaml @@ -0,0 +1,149 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: webhookidentityproviders.idp.pinniped.dev +spec: + group: idp.pinniped.dev + names: + categories: + - all + - idp + - idps + kind: WebhookIdentityProvider + listKind: WebhookIdentityProviderList + plural: webhookidentityproviders + shortNames: + - webhookidp + - webhookidps + singular: webhookidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookIdentityProvider describes the configuration of a Pinniped + webhook identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index 57d176cc0..b6016dd2f 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -6,6 +6,7 @@ .Packages - xref:{anchor_prefix}-crd-pinniped-dev-v1alpha1[$$crd.pinniped.dev/v1alpha1$$] +- xref:{anchor_prefix}-idp-pinniped-dev-v1alpha1[$$idp.pinniped.dev/v1alpha1$$] - xref:{anchor_prefix}-pinniped-dev-v1alpha1[$$pinniped.dev/v1alpha1$$] @@ -95,6 +96,110 @@ Status of a credential issuer. +[id="{anchor_prefix}-idp-pinniped-dev-v1alpha1"] +=== idp.pinniped.dev/v1alpha1 + +Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-condition"] +==== Condition + +Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`type`* __string__ | type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) +| *`status`* __ConditionStatus__ | status of the condition, one of True, False, Unknown. +| *`observedGeneration`* __integer__ | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. +| *`lastTransitionTime`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#time-v1-meta[$$Time$$]__ | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. +| *`reason`* __string__ | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. +| *`message`* __string__ | message is a human readable message indicating details about the transition. This may be an empty string. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-tlsspec"] +==== TLSSpec + +Configuration for configuring TLS on various identity providers. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`certificateAuthorityData`* __string__ | X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider"] +==== WebhookIdentityProvider + +WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderlist[$$WebhookIdentityProviderList$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`metadata`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#objectmeta-v1-meta[$$ObjectMeta$$]__ | Refer to Kubernetes API documentation for fields of `metadata`. + +| *`spec`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec[$$WebhookIdentityProviderSpec$$]__ | Spec for configuring the identity provider. +| *`status`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus[$$WebhookIdentityProviderStatus$$]__ | Status of the identity provider. +|=== + + + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderspec"] +==== WebhookIdentityProviderSpec + +Spec for configuring a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`endpoint`* __string__ | Webhook server endpoint URL. +| *`tls`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-tlsspec[$$TLSSpec$$]__ | TLS configuration. +|=== + + +[id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityproviderstatus"] +==== WebhookIdentityProviderStatus + +Status of a webhook identity provider. + +.Appears In: +**** +- xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-webhookidentityprovider[$$WebhookIdentityProvider$$] +**** + +[cols="25a,75a", options="header"] +|=== +| Field | Description +| *`conditions`* __xref:{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-idp-v1alpha1-condition[$$Condition$$]__ | Represents the observations of an identity provider's current state. +|=== + + + [id="{anchor_prefix}-pinniped-dev-v1alpha1"] === pinniped.dev/v1alpha1 diff --git a/generated/1.19/apis/idp/doc.go b/generated/1.19/apis/idp/doc.go new file mode 100644 index 000000000..b7689b2b9 --- /dev/null +++ b/generated/1.19/apis/idp/doc.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:deepcopy-gen=package +// +groupName=idp.pinniped.dev + +// Package idp is the internal version of the Pinniped identity provider API. +package idp diff --git a/generated/1.19/apis/idp/v1alpha1/conversion.go b/generated/1.19/apis/idp/v1alpha1/conversion.go new file mode 100644 index 000000000..63bc360fe --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/conversion.go @@ -0,0 +1,6 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 diff --git a/generated/1.19/apis/idp/v1alpha1/defaults.go b/generated/1.19/apis/idp/v1alpha1/defaults.go new file mode 100644 index 000000000..ba08404de --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/defaults.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" +) + +func addDefaultingFuncs(scheme *runtime.Scheme) error { + return RegisterDefaults(scheme) +} diff --git a/generated/1.19/apis/idp/v1alpha1/doc.go b/generated/1.19/apis/idp/v1alpha1/doc.go new file mode 100644 index 000000000..183dd7356 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/doc.go @@ -0,0 +1,14 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// +k8s:openapi-gen=true +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=github.com/suzerain-io/pinniped/generated/1.19/apis/idp +// +k8s:defaulter-gen=TypeMeta +// +groupName=idp.pinniped.dev +// +groupGoName=IDP + +// Package v1alpha1 is the v1alpha1 version of the Pinniped identity provider API. +package v1alpha1 diff --git a/generated/1.19/apis/idp/v1alpha1/register.go b/generated/1.19/apis/idp/v1alpha1/register.go new file mode 100644 index 000000000..b7878a213 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/register.go @@ -0,0 +1,45 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +const GroupName = "idp.pinniped.dev" + +// SchemeGroupVersion is group version used to register these objects. +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes, addDefaultingFuncs) +} + +// Adds the list of known types to the given scheme. +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &WebhookIdentityProvider{}, + &WebhookIdentityProviderList{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} + +// Resource takes an unqualified resource and returns a Group qualified GroupResource. +func Resource(resource string) schema.GroupResource { + return SchemeGroupVersion.WithResource(resource).GroupResource() +} diff --git a/generated/1.19/apis/idp/v1alpha1/types_meta.go b/generated/1.19/apis/idp/v1alpha1/types_meta.go new file mode 100644 index 000000000..fe4a5c252 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/types_meta.go @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// ConditionStatus is effectively an enum type for Condition.Status. +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in the condition. +// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes +// can't decide if a resource is in the condition or not. In the future, we could add other +// intermediate conditions, e.g. ConditionDegraded. +const ( + ConditionTrue ConditionStatus = "True" + ConditionFalse ConditionStatus = "False" + ConditionUnknown ConditionStatus = "Unknown" +) + +// Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API +// version we can switch to using the upstream type. +// See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. +type Condition struct { + // type of condition in CamelCase or in foo.example.com/CamelCase. + // --- + // Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + // useful (see .node.status.conditions), the ability to deconflict is important. + // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` + // +kubebuilder:validation:MaxLength=316 + Type string `json:"type"` + + // status of the condition, one of True, False, Unknown. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // observedGeneration represents the .metadata.generation that the condition was set based upon. + // For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + // with respect to the current state of the instance. + // +optional + // +kubebuilder:validation:Minimum=0 + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // lastTransitionTime is the last time the condition transitioned from one status to another. + // This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:Type=string + // +kubebuilder:validation:Format=date-time + LastTransitionTime metav1.Time `json:"lastTransitionTime"` + + // reason contains a programmatic identifier indicating the reason for the condition's last transition. + // Producers of specific condition types may define expected values and meanings for this field, + // and whether the values are considered a guaranteed API. + // The value should be a CamelCase string. + // This field may not be empty. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=1024 + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$` + Reason string `json:"reason"` + + // message is a human readable message indicating details about the transition. + // This may be an empty string. + // +required + // +kubebuilder:validation:Required + // +kubebuilder:validation:MaxLength=32768 + Message string `json:"message"` +} diff --git a/generated/1.19/apis/idp/v1alpha1/types_tls.go b/generated/1.19/apis/idp/v1alpha1/types_tls.go new file mode 100644 index 000000000..64f355e63 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/types_tls.go @@ -0,0 +1,13 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +// Configuration for configuring TLS on various identity providers. +type TLSSpec struct { + // X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted. + // +optional + CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"` +} diff --git a/generated/1.19/apis/idp/v1alpha1/types_webhook.go b/generated/1.19/apis/idp/v1alpha1/types_webhook.go new file mode 100644 index 000000000..046a16cbd --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/types_webhook.go @@ -0,0 +1,55 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package v1alpha1 + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// Status of a webhook identity provider. +type WebhookIdentityProviderStatus struct { + // Represents the observations of an identity provider's current state. + // +patchMergeKey=type + // +patchStrategy=merge + // +listType=map + // +listMapKey=type + Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` +} + +// Spec for configuring a webhook identity provider. +type WebhookIdentityProviderSpec struct { + // Webhook server endpoint URL. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^https://` + Endpoint string `json:"endpoint"` + + // TLS configuration. + // +optional + TLS *TLSSpec `json:"tls,omitempty"` +} + +// WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider. +// +genclient +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +// +kubebuilder:resource:categories=all;idp;idps,shortName=webhookidp;webhookidps +// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint` +type WebhookIdentityProvider struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec for configuring the identity provider. + Spec WebhookIdentityProviderSpec `json:"spec"` + + // Status of the identity provider. + Status WebhookIdentityProviderStatus `json:"status,omitempty"` +} + +// List of WebhookIdentityProvider objects. +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +type WebhookIdentityProviderList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + + Items []WebhookIdentityProvider `json:"items"` +} diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go b/generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go new file mode 100644 index 000000000..1131cdffa --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/zz_generated.conversion.go @@ -0,0 +1,66 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*Condition)(nil), (*v1.Condition)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_Condition_To_v1_Condition(a.(*Condition), b.(*v1.Condition), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*v1.Condition)(nil), (*Condition)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_Condition_To_v1alpha1_Condition(a.(*v1.Condition), b.(*Condition), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1alpha1_Condition_To_v1_Condition(in *Condition, out *v1.Condition, s conversion.Scope) error { + out.Type = in.Type + out.Status = v1.ConditionStatus(in.Status) + out.ObservedGeneration = in.ObservedGeneration + out.LastTransitionTime = in.LastTransitionTime + out.Reason = in.Reason + out.Message = in.Message + return nil +} + +// Convert_v1alpha1_Condition_To_v1_Condition is an autogenerated conversion function. +func Convert_v1alpha1_Condition_To_v1_Condition(in *Condition, out *v1.Condition, s conversion.Scope) error { + return autoConvert_v1alpha1_Condition_To_v1_Condition(in, out, s) +} + +func autoConvert_v1_Condition_To_v1alpha1_Condition(in *v1.Condition, out *Condition, s conversion.Scope) error { + out.Type = in.Type + out.Status = ConditionStatus(in.Status) + out.ObservedGeneration = in.ObservedGeneration + out.LastTransitionTime = in.LastTransitionTime + out.Reason = in.Reason + out.Message = in.Message + return nil +} + +// Convert_v1_Condition_To_v1alpha1_Condition is an autogenerated conversion function. +func Convert_v1_Condition_To_v1alpha1_Condition(in *v1.Condition, out *Condition, s conversion.Scope) error { + return autoConvert_v1_Condition_To_v1alpha1_Condition(in, out, s) +} diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go b/generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go new file mode 100644 index 000000000..29ed1e8e7 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/zz_generated.deepcopy.go @@ -0,0 +1,152 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Condition) DeepCopyInto(out *Condition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSpec) DeepCopyInto(out *TLSSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec. +func (in *TLSSpec) DeepCopy() *TLSSpec { + if in == nil { + return nil + } + out := new(TLSSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProvider) DeepCopyInto(out *WebhookIdentityProvider) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProvider. +func (in *WebhookIdentityProvider) DeepCopy() *WebhookIdentityProvider { + if in == nil { + return nil + } + out := new(WebhookIdentityProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProvider) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderList) DeepCopyInto(out *WebhookIdentityProviderList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]WebhookIdentityProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderList. +func (in *WebhookIdentityProviderList) DeepCopy() *WebhookIdentityProviderList { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *WebhookIdentityProviderList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderSpec) DeepCopyInto(out *WebhookIdentityProviderSpec) { + *out = *in + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSSpec) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderSpec. +func (in *WebhookIdentityProviderSpec) DeepCopy() *WebhookIdentityProviderSpec { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WebhookIdentityProviderStatus) DeepCopyInto(out *WebhookIdentityProviderStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookIdentityProviderStatus. +func (in *WebhookIdentityProviderStatus) DeepCopy() *WebhookIdentityProviderStatus { + if in == nil { + return nil + } + out := new(WebhookIdentityProviderStatus) + in.DeepCopyInto(out) + return out +} diff --git a/generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go b/generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go new file mode 100644 index 000000000..1612aa4d6 --- /dev/null +++ b/generated/1.19/apis/idp/v1alpha1/zz_generated.defaults.go @@ -0,0 +1,21 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +} diff --git a/generated/1.19/apis/idp/zz_generated.deepcopy.go b/generated/1.19/apis/idp/zz_generated.deepcopy.go new file mode 100644 index 000000000..0869390d3 --- /dev/null +++ b/generated/1.19/apis/idp/zz_generated.deepcopy.go @@ -0,0 +1,10 @@ +// +build !ignore_autogenerated + +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package idp diff --git a/generated/1.19/client/clientset/versioned/clientset.go b/generated/1.19/client/clientset/versioned/clientset.go index a5a23ff35..98dfba501 100644 --- a/generated/1.19/client/clientset/versioned/clientset.go +++ b/generated/1.19/client/clientset/versioned/clientset.go @@ -11,6 +11,7 @@ import ( "fmt" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" @@ -20,6 +21,7 @@ import ( type Interface interface { Discovery() discovery.DiscoveryInterface CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface + IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface } @@ -28,6 +30,7 @@ type Interface interface { type Clientset struct { *discovery.DiscoveryClient crdV1alpha1 *crdv1alpha1.CrdV1alpha1Client + iDPV1alpha1 *idpv1alpha1.IDPV1alpha1Client pinnipedV1alpha1 *pinnipedv1alpha1.PinnipedV1alpha1Client } @@ -36,6 +39,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return c.crdV1alpha1 } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return c.iDPV1alpha1 +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return c.pinnipedV1alpha1 @@ -66,6 +74,10 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { if err != nil { return nil, err } + cs.iDPV1alpha1, err = idpv1alpha1.NewForConfig(&configShallowCopy) + if err != nil { + return nil, err + } cs.pinnipedV1alpha1, err = pinnipedv1alpha1.NewForConfig(&configShallowCopy) if err != nil { return nil, err @@ -83,6 +95,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) { func NewForConfigOrDie(c *rest.Config) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.NewForConfigOrDie(c) + cs.iDPV1alpha1 = idpv1alpha1.NewForConfigOrDie(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.NewForConfigOrDie(c) cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c) @@ -93,6 +106,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset { func New(c rest.Interface) *Clientset { var cs Clientset cs.crdV1alpha1 = crdv1alpha1.New(c) + cs.iDPV1alpha1 = idpv1alpha1.New(c) cs.pinnipedV1alpha1 = pinnipedv1alpha1.New(c) cs.DiscoveryClient = discovery.NewDiscoveryClient(c) diff --git a/generated/1.19/client/clientset/versioned/fake/clientset_generated.go b/generated/1.19/client/clientset/versioned/fake/clientset_generated.go index 00669ec4d..fd85bb1bd 100644 --- a/generated/1.19/client/clientset/versioned/fake/clientset_generated.go +++ b/generated/1.19/client/clientset/versioned/fake/clientset_generated.go @@ -11,6 +11,8 @@ import ( clientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/crdpinniped/v1alpha1" fakecrdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/crdpinniped/v1alpha1/fake" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1" + fakeidpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1" fakepinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/pinniped/v1alpha1/fake" "k8s.io/apimachinery/pkg/runtime" @@ -72,6 +74,11 @@ func (c *Clientset) CrdV1alpha1() crdv1alpha1.CrdV1alpha1Interface { return &fakecrdv1alpha1.FakeCrdV1alpha1{Fake: &c.Fake} } +// IDPV1alpha1 retrieves the IDPV1alpha1Client +func (c *Clientset) IDPV1alpha1() idpv1alpha1.IDPV1alpha1Interface { + return &fakeidpv1alpha1.FakeIDPV1alpha1{Fake: &c.Fake} +} + // PinnipedV1alpha1 retrieves the PinnipedV1alpha1Client func (c *Clientset) PinnipedV1alpha1() pinnipedv1alpha1.PinnipedV1alpha1Interface { return &fakepinnipedv1alpha1.FakePinnipedV1alpha1{Fake: &c.Fake} diff --git a/generated/1.19/client/clientset/versioned/fake/register.go b/generated/1.19/client/clientset/versioned/fake/register.go index ce878f5f3..b127ef49f 100644 --- a/generated/1.19/client/clientset/versioned/fake/register.go +++ b/generated/1.19/client/clientset/versioned/fake/register.go @@ -9,6 +9,7 @@ package fake import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var codecs = serializer.NewCodecFactory(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.19/client/clientset/versioned/scheme/register.go b/generated/1.19/client/clientset/versioned/scheme/register.go index 02388b090..16bd8ac69 100644 --- a/generated/1.19/client/clientset/versioned/scheme/register.go +++ b/generated/1.19/client/clientset/versioned/scheme/register.go @@ -9,6 +9,7 @@ package scheme import ( crdv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -22,6 +23,7 @@ var Codecs = serializer.NewCodecFactory(Scheme) var ParameterCodec = runtime.NewParameterCodec(Scheme) var localSchemeBuilder = runtime.SchemeBuilder{ crdv1alpha1.AddToScheme, + idpv1alpha1.AddToScheme, pinnipedv1alpha1.AddToScheme, } diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go new file mode 100644 index 000000000..40c99ba8e --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// This package has the automatically generated typed clients. +package v1alpha1 diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go new file mode 100644 index 000000000..d51c7ce76 --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/doc.go @@ -0,0 +1,9 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +// Package fake has the automatically generated clients. +package fake diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go new file mode 100644 index 000000000..de3b2613c --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_idp_client.go @@ -0,0 +1,29 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1" + rest "k8s.io/client-go/rest" + testing "k8s.io/client-go/testing" +) + +type FakeIDPV1alpha1 struct { + *testing.Fake +} + +func (c *FakeIDPV1alpha1) WebhookIdentityProviders(namespace string) v1alpha1.WebhookIdentityProviderInterface { + return &FakeWebhookIdentityProviders{c, namespace} +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *FakeIDPV1alpha1) RESTClient() rest.Interface { + var ret *rest.RESTClient + return ret +} diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go new file mode 100644 index 000000000..9358c9f07 --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/fake/fake_webhookidentityprovider.go @@ -0,0 +1,131 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" + schema "k8s.io/apimachinery/pkg/runtime/schema" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + testing "k8s.io/client-go/testing" +) + +// FakeWebhookIdentityProviders implements WebhookIdentityProviderInterface +type FakeWebhookIdentityProviders struct { + Fake *FakeIDPV1alpha1 + ns string +} + +var webhookidentityprovidersResource = schema.GroupVersionResource{Group: "idp.pinniped.dev", Version: "v1alpha1", Resource: "webhookidentityproviders"} + +var webhookidentityprovidersKind = schema.GroupVersionKind{Group: "idp.pinniped.dev", Version: "v1alpha1", Kind: "WebhookIdentityProvider"} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *FakeWebhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewGetAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *FakeWebhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + obj, err := c.Fake. + Invokes(testing.NewListAction(webhookidentityprovidersResource, webhookidentityprovidersKind, c.ns, opts), &v1alpha1.WebhookIdentityProviderList{}) + + if obj == nil { + return nil, err + } + + label, _, _ := testing.ExtractFromListOptions(opts) + if label == nil { + label = labels.Everything() + } + list := &v1alpha1.WebhookIdentityProviderList{ListMeta: obj.(*v1alpha1.WebhookIdentityProviderList).ListMeta} + for _, item := range obj.(*v1alpha1.WebhookIdentityProviderList).Items { + if label.Matches(labels.Set(item.Labels)) { + list.Items = append(list.Items, item) + } + } + return list, err +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *FakeWebhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + return c.Fake. + InvokesWatch(testing.NewWatchAction(webhookidentityprovidersResource, c.ns, opts)) + +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewCreateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *FakeWebhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateAction(webhookidentityprovidersResource, c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *FakeWebhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) { + obj, err := c.Fake. + Invokes(testing.NewUpdateSubresourceAction(webhookidentityprovidersResource, "status", c.ns, webhookIdentityProvider), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *FakeWebhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + _, err := c.Fake. + Invokes(testing.NewDeleteAction(webhookidentityprovidersResource, c.ns, name), &v1alpha1.WebhookIdentityProvider{}) + + return err +} + +// DeleteCollection deletes a collection of objects. +func (c *FakeWebhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + action := testing.NewDeleteCollectionAction(webhookidentityprovidersResource, c.ns, listOpts) + + _, err := c.Fake.Invokes(action, &v1alpha1.WebhookIdentityProviderList{}) + return err +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *FakeWebhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + obj, err := c.Fake. + Invokes(testing.NewPatchSubresourceAction(webhookidentityprovidersResource, c.ns, name, pt, data, subresources...), &v1alpha1.WebhookIdentityProvider{}) + + if obj == nil { + return nil, err + } + return obj.(*v1alpha1.WebhookIdentityProvider), err +} diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go new file mode 100644 index 000000000..bd61370a8 --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/generated_expansion.go @@ -0,0 +1,10 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +type WebhookIdentityProviderExpansion interface{} diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go new file mode 100644 index 000000000..6edbb29ba --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/idp_client.go @@ -0,0 +1,78 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/scheme" + rest "k8s.io/client-go/rest" +) + +type IDPV1alpha1Interface interface { + RESTClient() rest.Interface + WebhookIdentityProvidersGetter +} + +// IDPV1alpha1Client is used to interact with features provided by the idp.pinniped.dev group. +type IDPV1alpha1Client struct { + restClient rest.Interface +} + +func (c *IDPV1alpha1Client) WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface { + return newWebhookIdentityProviders(c, namespace) +} + +// NewForConfig creates a new IDPV1alpha1Client for the given config. +func NewForConfig(c *rest.Config) (*IDPV1alpha1Client, error) { + config := *c + if err := setConfigDefaults(&config); err != nil { + return nil, err + } + client, err := rest.RESTClientFor(&config) + if err != nil { + return nil, err + } + return &IDPV1alpha1Client{client}, nil +} + +// NewForConfigOrDie creates a new IDPV1alpha1Client for the given config and +// panics if there is an error in the config. +func NewForConfigOrDie(c *rest.Config) *IDPV1alpha1Client { + client, err := NewForConfig(c) + if err != nil { + panic(err) + } + return client +} + +// New creates a new IDPV1alpha1Client for the given RESTClient. +func New(c rest.Interface) *IDPV1alpha1Client { + return &IDPV1alpha1Client{c} +} + +func setConfigDefaults(config *rest.Config) error { + gv := v1alpha1.SchemeGroupVersion + config.GroupVersion = &gv + config.APIPath = "/apis" + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() + + if config.UserAgent == "" { + config.UserAgent = rest.DefaultKubernetesUserAgent() + } + + return nil +} + +// RESTClient returns a RESTClient that is used to communicate +// with API server by this client implementation. +func (c *IDPV1alpha1Client) RESTClient() rest.Interface { + if c == nil { + return nil + } + return c.restClient +} diff --git a/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..4c4e2c7cd --- /dev/null +++ b/generated/1.19/client/clientset/versioned/typed/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,184 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + "time" + + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + scheme "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/scheme" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" + watch "k8s.io/apimachinery/pkg/watch" + rest "k8s.io/client-go/rest" +) + +// WebhookIdentityProvidersGetter has a method to return a WebhookIdentityProviderInterface. +// A group's client should implement this interface. +type WebhookIdentityProvidersGetter interface { + WebhookIdentityProviders(namespace string) WebhookIdentityProviderInterface +} + +// WebhookIdentityProviderInterface has methods to work with WebhookIdentityProvider resources. +type WebhookIdentityProviderInterface interface { + Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (*v1alpha1.WebhookIdentityProvider, error) + Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) + UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (*v1alpha1.WebhookIdentityProvider, error) + Delete(ctx context.Context, name string, opts v1.DeleteOptions) error + DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error + Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.WebhookIdentityProvider, error) + List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.WebhookIdentityProviderList, error) + Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) + Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) + WebhookIdentityProviderExpansion +} + +// webhookIdentityProviders implements WebhookIdentityProviderInterface +type webhookIdentityProviders struct { + client rest.Interface + ns string +} + +// newWebhookIdentityProviders returns a WebhookIdentityProviders +func newWebhookIdentityProviders(c *IDPV1alpha1Client, namespace string) *webhookIdentityProviders { + return &webhookIdentityProviders{ + client: c.RESTClient(), + ns: namespace, + } +} + +// Get takes name of the webhookIdentityProvider, and returns the corresponding webhookIdentityProvider object, and an error if there is any. +func (c *webhookIdentityProviders) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + VersionedParams(&options, scheme.ParameterCodec). + Do(ctx). + Into(result) + return +} + +// List takes label and field selectors, and returns the list of WebhookIdentityProviders that match those selectors. +func (c *webhookIdentityProviders) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.WebhookIdentityProviderList, err error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + result = &v1alpha1.WebhookIdentityProviderList{} + err = c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Do(ctx). + Into(result) + return +} + +// Watch returns a watch.Interface that watches the requested webhookIdentityProviders. +func (c *webhookIdentityProviders) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { + var timeout time.Duration + if opts.TimeoutSeconds != nil { + timeout = time.Duration(*opts.TimeoutSeconds) * time.Second + } + opts.Watch = true + return c.client.Get(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Timeout(timeout). + Watch(ctx) +} + +// Create takes the representation of a webhookIdentityProvider and creates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Create(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.CreateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Post(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Update takes the representation of a webhookIdentityProvider and updates it. Returns the server's representation of the webhookIdentityProvider, and an error, if there is any. +func (c *webhookIdentityProviders) Update(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// UpdateStatus was generated because the type contains a Status member. +// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). +func (c *webhookIdentityProviders) UpdateStatus(ctx context.Context, webhookIdentityProvider *v1alpha1.WebhookIdentityProvider, opts v1.UpdateOptions) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Put(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(webhookIdentityProvider.Name). + SubResource("status"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(webhookIdentityProvider). + Do(ctx). + Into(result) + return +} + +// Delete takes name of the webhookIdentityProvider and deletes it. Returns an error if one occurs. +func (c *webhookIdentityProviders) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + Body(&opts). + Do(ctx). + Error() +} + +// DeleteCollection deletes a collection of objects. +func (c *webhookIdentityProviders) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { + var timeout time.Duration + if listOpts.TimeoutSeconds != nil { + timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second + } + return c.client.Delete(). + Namespace(c.ns). + Resource("webhookidentityproviders"). + VersionedParams(&listOpts, scheme.ParameterCodec). + Timeout(timeout). + Body(&opts). + Do(ctx). + Error() +} + +// Patch applies the patch and returns the patched webhookIdentityProvider. +func (c *webhookIdentityProviders) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.WebhookIdentityProvider, err error) { + result = &v1alpha1.WebhookIdentityProvider{} + err = c.client.Patch(pt). + Namespace(c.ns). + Resource("webhookidentityproviders"). + Name(name). + SubResource(subresources...). + VersionedParams(&opts, scheme.ParameterCodec). + Body(data). + Do(ctx). + Into(result) + return +} diff --git a/generated/1.19/client/informers/externalversions/factory.go b/generated/1.19/client/informers/externalversions/factory.go index 40ea7aaea..b32ab8cd5 100644 --- a/generated/1.19/client/informers/externalversions/factory.go +++ b/generated/1.19/client/informers/externalversions/factory.go @@ -14,6 +14,7 @@ import ( versioned "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" crdpinniped "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/crdpinniped" + idp "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp" internalinterfaces "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/internalinterfaces" pinniped "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/pinniped" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -163,6 +164,7 @@ type SharedInformerFactory interface { WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool Crd() crdpinniped.Interface + IDP() idp.Interface Pinniped() pinniped.Interface } @@ -170,6 +172,10 @@ func (f *sharedInformerFactory) Crd() crdpinniped.Interface { return crdpinniped.New(f, f.namespace, f.tweakListOptions) } +func (f *sharedInformerFactory) IDP() idp.Interface { + return idp.New(f, f.namespace, f.tweakListOptions) +} + func (f *sharedInformerFactory) Pinniped() pinniped.Interface { return pinniped.New(f, f.namespace, f.tweakListOptions) } diff --git a/generated/1.19/client/informers/externalversions/generic.go b/generated/1.19/client/informers/externalversions/generic.go index 698ab80d4..a112ff409 100644 --- a/generated/1.19/client/informers/externalversions/generic.go +++ b/generated/1.19/client/informers/externalversions/generic.go @@ -11,6 +11,7 @@ import ( "fmt" v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1" + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" pinnipedv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1" schema "k8s.io/apimachinery/pkg/runtime/schema" cache "k8s.io/client-go/tools/cache" @@ -46,6 +47,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource case v1alpha1.SchemeGroupVersion.WithResource("credentialissuerconfigs"): return &genericInformer{resource: resource.GroupResource(), informer: f.Crd().V1alpha1().CredentialIssuerConfigs().Informer()}, nil + // Group=idp.pinniped.dev, Version=v1alpha1 + case idpv1alpha1.SchemeGroupVersion.WithResource("webhookidentityproviders"): + return &genericInformer{resource: resource.GroupResource(), informer: f.IDP().V1alpha1().WebhookIdentityProviders().Informer()}, nil + // Group=pinniped.dev, Version=v1alpha1 case pinnipedv1alpha1.SchemeGroupVersion.WithResource("credentialrequests"): return &genericInformer{resource: resource.GroupResource(), informer: f.Pinniped().V1alpha1().CredentialRequests().Informer()}, nil diff --git a/generated/1.19/client/informers/externalversions/idp/interface.go b/generated/1.19/client/informers/externalversions/idp/interface.go new file mode 100644 index 000000000..206b43f50 --- /dev/null +++ b/generated/1.19/client/informers/externalversions/idp/interface.go @@ -0,0 +1,35 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package idp + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp/v1alpha1" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to each of this group's versions. +type Interface interface { + // V1alpha1 provides access to shared informers for resources in V1alpha1. + V1alpha1() v1alpha1.Interface +} + +type group struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &group{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// V1alpha1 returns a new v1alpha1.Interface. +func (g *group) V1alpha1() v1alpha1.Interface { + return v1alpha1.New(g.factory, g.namespace, g.tweakListOptions) +} diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go b/generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go new file mode 100644 index 000000000..3927d66ff --- /dev/null +++ b/generated/1.19/client/informers/externalversions/idp/v1alpha1/interface.go @@ -0,0 +1,34 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/internalinterfaces" +) + +// Interface provides access to all the informers in this group version. +type Interface interface { + // WebhookIdentityProviders returns a WebhookIdentityProviderInformer. + WebhookIdentityProviders() WebhookIdentityProviderInformer +} + +type version struct { + factory internalinterfaces.SharedInformerFactory + namespace string + tweakListOptions internalinterfaces.TweakListOptionsFunc +} + +// New returns a new Interface. +func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface { + return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} +} + +// WebhookIdentityProviders returns a WebhookIdentityProviderInformer. +func (v *version) WebhookIdentityProviders() WebhookIdentityProviderInformer { + return &webhookIdentityProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} +} diff --git a/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..65df56202 --- /dev/null +++ b/generated/1.19/client/informers/externalversions/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,79 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by informer-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + "context" + time "time" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + versioned "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" + internalinterfaces "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/internalinterfaces" + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/client/listers/idp/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" + watch "k8s.io/apimachinery/pkg/watch" + cache "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderInformer provides access to a shared informer and lister for +// WebhookIdentityProviders. +type WebhookIdentityProviderInformer interface { + Informer() cache.SharedIndexInformer + Lister() v1alpha1.WebhookIdentityProviderLister +} + +type webhookIdentityProviderInformer struct { + factory internalinterfaces.SharedInformerFactory + tweakListOptions internalinterfaces.TweakListOptionsFunc + namespace string +} + +// NewWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, namespace, resyncPeriod, indexers, nil) +} + +// NewFilteredWebhookIdentityProviderInformer constructs a new informer for WebhookIdentityProvider type. +// Always prefer using an informer factory to get a shared informer instead of getting an independent +// one. This reduces memory footprint and number of connections to the server. +func NewFilteredWebhookIdentityProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { + return cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options v1.ListOptions) (runtime.Object, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).List(context.TODO(), options) + }, + WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.IDPV1alpha1().WebhookIdentityProviders(namespace).Watch(context.TODO(), options) + }, + }, + &idpv1alpha1.WebhookIdentityProvider{}, + resyncPeriod, + indexers, + ) +} + +func (f *webhookIdentityProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { + return NewFilteredWebhookIdentityProviderInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) +} + +func (f *webhookIdentityProviderInformer) Informer() cache.SharedIndexInformer { + return f.factory.InformerFor(&idpv1alpha1.WebhookIdentityProvider{}, f.defaultInformer) +} + +func (f *webhookIdentityProviderInformer) Lister() v1alpha1.WebhookIdentityProviderLister { + return v1alpha1.NewWebhookIdentityProviderLister(f.Informer().GetIndexer()) +} diff --git a/generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go b/generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go new file mode 100644 index 000000000..61d85cbee --- /dev/null +++ b/generated/1.19/client/listers/idp/v1alpha1/expansion_generated.go @@ -0,0 +1,16 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +// WebhookIdentityProviderListerExpansion allows custom methods to be added to +// WebhookIdentityProviderLister. +type WebhookIdentityProviderListerExpansion interface{} + +// WebhookIdentityProviderNamespaceListerExpansion allows custom methods to be added to +// WebhookIdentityProviderNamespaceLister. +type WebhookIdentityProviderNamespaceListerExpansion interface{} diff --git a/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go b/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go new file mode 100644 index 000000000..531015881 --- /dev/null +++ b/generated/1.19/client/listers/idp/v1alpha1/webhookidentityprovider.go @@ -0,0 +1,88 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Code generated by lister-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + v1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/client-go/tools/cache" +) + +// WebhookIdentityProviderLister helps list WebhookIdentityProviders. +// All objects returned here must be treated as read-only. +type WebhookIdentityProviderLister interface { + // List lists all WebhookIdentityProviders in the indexer. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. + WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister + WebhookIdentityProviderListerExpansion +} + +// webhookIdentityProviderLister implements the WebhookIdentityProviderLister interface. +type webhookIdentityProviderLister struct { + indexer cache.Indexer +} + +// NewWebhookIdentityProviderLister returns a new WebhookIdentityProviderLister. +func NewWebhookIdentityProviderLister(indexer cache.Indexer) WebhookIdentityProviderLister { + return &webhookIdentityProviderLister{indexer: indexer} +} + +// List lists all WebhookIdentityProviders in the indexer. +func (s *webhookIdentityProviderLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAll(s.indexer, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// WebhookIdentityProviders returns an object that can list and get WebhookIdentityProviders. +func (s *webhookIdentityProviderLister) WebhookIdentityProviders(namespace string) WebhookIdentityProviderNamespaceLister { + return webhookIdentityProviderNamespaceLister{indexer: s.indexer, namespace: namespace} +} + +// WebhookIdentityProviderNamespaceLister helps list and get WebhookIdentityProviders. +// All objects returned here must be treated as read-only. +type WebhookIdentityProviderNamespaceLister interface { + // List lists all WebhookIdentityProviders in the indexer for a given namespace. + // Objects returned here must be treated as read-only. + List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) + // Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. + // Objects returned here must be treated as read-only. + Get(name string) (*v1alpha1.WebhookIdentityProvider, error) + WebhookIdentityProviderNamespaceListerExpansion +} + +// webhookIdentityProviderNamespaceLister implements the WebhookIdentityProviderNamespaceLister +// interface. +type webhookIdentityProviderNamespaceLister struct { + indexer cache.Indexer + namespace string +} + +// List lists all WebhookIdentityProviders in the indexer for a given namespace. +func (s webhookIdentityProviderNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.WebhookIdentityProvider, err error) { + err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) { + ret = append(ret, m.(*v1alpha1.WebhookIdentityProvider)) + }) + return ret, err +} + +// Get retrieves the WebhookIdentityProvider from the indexer for a given namespace and name. +func (s webhookIdentityProviderNamespaceLister) Get(name string) (*v1alpha1.WebhookIdentityProvider, error) { + obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name) + if err != nil { + return nil, err + } + if !exists { + return nil, errors.NewNotFound(v1alpha1.Resource("webhookidentityprovider"), name) + } + return obj.(*v1alpha1.WebhookIdentityProvider), nil +} diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go index 2b066cbfb..284b45c60 100644 --- a/generated/1.19/client/openapi/zz_generated.openapi.go +++ b/generated/1.19/client/openapi/zz_generated.openapi.go @@ -24,6 +24,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1.CredentialIssuerConfigList": schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigList(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStatus": schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStatus(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/crdpinniped/v1alpha1.CredentialIssuerConfigStrategy": schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.Condition": schema_119_apis_idp_v1alpha1_Condition(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.TLSSpec": schema_119_apis_idp_v1alpha1_TLSSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider": schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderList": schema_119_apis_idp_v1alpha1_WebhookIdentityProviderList(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec": schema_119_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref), + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus": schema_119_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1.CredentialRequest": schema_119_apis_pinniped_v1alpha1_CredentialRequest(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1.CredentialRequestCredential": schema_119_apis_pinniped_v1alpha1_CredentialRequestCredential(ref), "github.com/suzerain-io/pinniped/generated/1.19/apis/pinniped/v1alpha1.CredentialRequestList": schema_119_apis_pinniped_v1alpha1_CredentialRequestList(ref), @@ -284,6 +290,244 @@ func schema_119_apis_crdpinniped_v1alpha1_CredentialIssuerConfigStrategy(ref com } } +func schema_119_apis_idp_v1alpha1_Condition(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type of condition in CamelCase or in foo.example.com/CamelCase.", + Type: []string{"string"}, + Format: "", + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "status of the condition, one of True, False, Unknown.", + Type: []string{"string"}, + Format: "", + }, + }, + "observedGeneration": { + SchemaProps: spec.SchemaProps{ + Description: "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + "lastTransitionTime": { + SchemaProps: spec.SchemaProps{ + Description: "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"), + }, + }, + "reason": { + SchemaProps: spec.SchemaProps{ + Description: "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + Type: []string{"string"}, + Format: "", + }, + }, + "message": { + SchemaProps: spec.SchemaProps{ + Description: "message is a human readable message indicating details about the transition. This may be an empty string.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"type", "status", "lastTransitionTime", "reason", "message"}, + }, + }, + Dependencies: []string{ + "k8s.io/apimachinery/pkg/apis/meta/v1.Time"}, + } +} + +func schema_119_apis_idp_v1alpha1_TLSSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Configuration for configuring TLS on various identity providers.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "certificateAuthorityData": { + SchemaProps: spec.SchemaProps{ + Description: "X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + +func schema_119_apis_idp_v1alpha1_WebhookIdentityProvider(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "WebhookIdentityProvider describes the configuration of a Pinniped webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "spec": { + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Status of the identity provider.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus"), + }, + }, + }, + Required: []string{"spec"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderSpec", "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProviderStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "List of WebhookIdentityProvider objects.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"), + }, + }, + "items": { + SchemaProps: spec.SchemaProps{ + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider"), + }, + }, + }, + }, + }, + }, + Required: []string{"items"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.WebhookIdentityProvider", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"}, + } +} + +func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Spec for configuring a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "endpoint": { + SchemaProps: spec.SchemaProps{ + Description: "Webhook server endpoint URL.", + Type: []string{"string"}, + Format: "", + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "TLS configuration.", + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.TLSSpec"), + }, + }, + }, + Required: []string{"endpoint"}, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.TLSSpec"}, + } +} + +func schema_119_apis_idp_v1alpha1_WebhookIdentityProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "Status of a webhook identity provider.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "conditions": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-map-keys": []interface{}{ + "type", + }, + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "Represents the observations of an identity provider's current state.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Ref: ref("github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.Condition"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1.Condition"}, + } +} + func schema_119_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml b/generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml new file mode 100644 index 000000000..213b7ad20 --- /dev/null +++ b/generated/1.19/crds/idp.pinniped.dev_webhookidentityproviders.yaml @@ -0,0 +1,149 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + name: webhookidentityproviders.idp.pinniped.dev +spec: + group: idp.pinniped.dev + names: + categories: + - all + - idp + - idps + kind: WebhookIdentityProvider + listKind: WebhookIdentityProviderList + plural: webhookidentityproviders + shortNames: + - webhookidp + - webhookidps + singular: webhookidentityprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.endpoint + name: Endpoint + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WebhookIdentityProvider describes the configuration of a Pinniped + webhook identity provider. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for configuring the identity provider. + properties: + endpoint: + description: Webhook server endpoint URL. + minLength: 1 + pattern: ^https:// + type: string + tls: + description: TLS configuration. + properties: + certificateAuthorityData: + description: X.509 Certificate Authority (base64-encoded PEM bundle). + If omitted, a default set of system roots will be trusted. + type: string + type: object + required: + - endpoint + type: object + status: + description: Status of the identity provider. + properties: + conditions: + description: Represents the observations of an identity provider's + current state. + items: + description: Condition status of a resource (mirrored from the metav1.Condition + type added in Kubernetes 1.19). In a future API version we can + switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413. + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/hack/lib/docs/config.yaml b/hack/lib/docs/config.yaml index 9ecc75a22..2a01e07c9 100644 --- a/hack/lib/docs/config.yaml +++ b/hack/lib/docs/config.yaml @@ -4,6 +4,7 @@ processor: # Ignore internal API versions ignoreGroupVersions: - "crd.pinniped.dev/crdpinniped" + - "idp.pinniped.dev/idp" - "pinniped.dev/pinniped" ignoreFields: - "TypeMeta$" diff --git a/hack/lib/update-codegen.sh b/hack/lib/update-codegen.sh index baba076ba..cb6878805 100755 --- a/hack/lib/update-codegen.sh +++ b/hack/lib/update-codegen.sh @@ -121,7 +121,7 @@ echo "generating API-related code for our internal API groups..." "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "pinniped:v1alpha1 crdpinniped:v1alpha1" \ + "pinniped:v1alpha1 crdpinniped:v1alpha1 idp:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-int-api > |" ) @@ -136,7 +136,7 @@ echo "generating client code for our public API groups..." client,lister,informer \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/client" \ "${BASE_PKG}/generated/${KUBE_MINOR_VERSION}/apis" \ - "pinniped:v1alpha1 crdpinniped:v1alpha1" \ + "pinniped:v1alpha1 crdpinniped:v1alpha1 idp:v1alpha1" \ --go-header-file "${ROOT}/hack/boilerplate.go.txt" 2>&1 | sed "s|^|gen-client > |" ) @@ -155,5 +155,6 @@ crd-ref-docs \ # Generate CRD YAML (cd apis && - controller-gen paths=./crdpinniped/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds + controller-gen paths=./crdpinniped/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds && + controller-gen paths=./idp/v1alpha1 crd:trivialVersions=true output:crd:artifacts:config=../crds ) diff --git a/hack/update.sh b/hack/update.sh index 00c15ae78..ebf7280f4 100755 --- a/hack/update.sh +++ b/hack/update.sh @@ -8,5 +8,5 @@ set -euo pipefail ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )" xargs "$ROOT/hack/lib/update-codegen.sh" < "${ROOT}/hack/lib/kube-versions.txt" -cp "$ROOT/generated/1.19/crds/crd.pinniped.dev_credentialissuerconfigs.yaml" "$ROOT/deploy/crd.yaml" +cp "$ROOT/generated/1.19/crds/"*.yaml "$ROOT/deploy/" "$ROOT/hack/module.sh" tidy From 3344b5b86aeed45897e18cbf82da79b6caebcd57 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 9 Sep 2020 10:36:38 -0500 Subject: [PATCH 15/32] Expect the WebhookIdentityProvider CRD to be installed. Signed-off-by: Matt Moyer --- test/integration/api_discovery_test.go | 156 +++++++++++++++++-------- 1 file changed, 105 insertions(+), 51 deletions(-) diff --git a/test/integration/api_discovery_test.go b/test/integration/api_discovery_test.go index 96fa39512..48d3bb93f 100644 --- a/test/integration/api_discovery_test.go +++ b/test/integration/api_discovery_test.go @@ -22,65 +22,119 @@ func TestGetAPIResourceList(t *testing.T) { groups, resources, err := client.Discovery().ServerGroupsAndResources() require.NoError(t, err) - t.Run("has group", func(t *testing.T) { - require.Contains(t, groups, &metav1.APIGroup{ - Name: "pinniped.dev", - Versions: []metav1.GroupVersionForDiscovery{ - { + tests := []struct { + group metav1.APIGroup + resourceByVersion map[string][]metav1.APIResource + }{ + { + group: metav1.APIGroup{ + Name: "pinniped.dev", + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: "pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ GroupVersion: "pinniped.dev/v1alpha1", Version: "v1alpha1", }, }, - PreferredVersion: metav1.GroupVersionForDiscovery{ - GroupVersion: "pinniped.dev/v1alpha1", - Version: "v1alpha1", + resourceByVersion: map[string][]metav1.APIResource{ + "pinniped.dev/v1alpha1": { + { + Name: "credentialrequests", + Kind: "CredentialRequest", + Verbs: []string{"create"}, + Namespaced: false, + + // This is currently an empty string in the response; maybe it should not be + // empty? Seems like no harm in keeping it like this for now, but feel free + // to update in the future if there is a compelling reason to do so. + SingularName: "", + }, + }, }, - }) - }) - - t.Run("has non-CRD APIs", func(t *testing.T) { - expectResources(t, "pinniped.dev/v1alpha1", resources, []metav1.APIResource{ - { - Name: "credentialrequests", - Kind: "CredentialRequest", - Verbs: []string{"create"}, - Namespaced: false, - - // This is currently an empty string in the response; maybe it should not be - // empty? Seems like no harm in keeping it like this for now, but feel free - // to update in the future if there is a compelling reason to do so. - SingularName: "", + }, + { + group: metav1.APIGroup{ + Name: "crd.pinniped.dev", + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: "crd.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ + GroupVersion: "crd.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, }, - }) - }) - - t.Run("has CRD APIs", func(t *testing.T) { - expectResources(t, "crd.pinniped.dev/v1alpha1", resources, []metav1.APIResource{ - { - Name: "credentialissuerconfigs", - SingularName: "credentialissuerconfig", - Namespaced: true, - Kind: "CredentialIssuerConfig", - Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, - ShortNames: []string{"cic"}, + resourceByVersion: map[string][]metav1.APIResource{ + "crd.pinniped.dev/v1alpha1": { + { + Name: "credentialissuerconfigs", + SingularName: "credentialissuerconfig", + Namespaced: true, + Kind: "CredentialIssuerConfig", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + ShortNames: []string{"cic"}, + }, + }, }, - }) - }) -} - -func expectResources(t *testing.T, groupVersion string, resources []*metav1.APIResourceList, expected []metav1.APIResource) { - var actualResourceList *metav1.APIResourceList - for _, resource := range resources { - if resource.GroupVersion == groupVersion { - actualResourceList = resource.DeepCopy() - } + }, + { + group: metav1.APIGroup{ + Name: "idp.pinniped.dev", + Versions: []metav1.GroupVersionForDiscovery{ + { + GroupVersion: "idp.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + PreferredVersion: metav1.GroupVersionForDiscovery{ + GroupVersion: "idp.pinniped.dev/v1alpha1", + Version: "v1alpha1", + }, + }, + resourceByVersion: map[string][]metav1.APIResource{ + "idp.pinniped.dev/v1alpha1": { + { + Name: "webhookidentityproviders", + SingularName: "webhookidentityprovider", + Namespaced: true, + Kind: "WebhookIdentityProvider", + Verbs: []string{"delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"}, + ShortNames: []string{"webhookidp", "webhookidps"}, + Categories: []string{"all", "idp", "idps"}, + }, + }, + }, + }, } - require.NotNilf(t, actualResourceList, "could not find groupVersion %s", groupVersion) - // Because its hard to predict the storage version hash (e.g. "t/+v41y+3e4="), we just don't - // worry about comparing that field. - for i := range actualResourceList.APIResources { - actualResourceList.APIResources[i].StorageVersionHash = "" + for _, tt := range tests { + tt := tt + t.Run(tt.group.Name, func(t *testing.T) { + require.Contains(t, groups, &tt.group) + + for groupVersion, expectedResources := range tt.resourceByVersion { + // Find the actual resource list and make a copy. + var actualResourceList *metav1.APIResourceList + for _, resource := range resources { + if resource.GroupVersion == groupVersion { + actualResourceList = resource.DeepCopy() + } + } + require.NotNilf(t, actualResourceList, "could not find groupVersion %s", groupVersion) + + // Because its hard to predict the storage version hash (e.g. "t/+v41y+3e4="), we just don't + // worry about comparing that field. + for i := range actualResourceList.APIResources { + actualResourceList.APIResources[i].StorageVersionHash = "" + } + require.EqualValues(t, expectedResources, actualResourceList.APIResources, "unexpected API resources") + } + }) } - require.EqualValues(t, expected, actualResourceList.APIResources, "unexpected API resources") } From fc220d5f79f5b9b0adbc3265b5f863809f15fb5f Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 13:41:21 -0500 Subject: [PATCH 16/32] Remove kubectl dry-run verify for now. The dry-run fails now because we are trying to install a CRD and a custom resource (of that CRD type) in the same step. Signed-off-by: Matt Moyer --- hack/prepare-for-integration-tests.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index d68fb6ebc..b4e062490 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -189,7 +189,6 @@ ytt --file . \ --data-value "webhook_ca_bundle=$webhook_ca_bundle" \ --data-value "discovery_url=$discovery_url" >"$manifest" -kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest" popd >/dev/null From 5b9f2ec9fccd9ab005058c621f7445ca8d134519 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 9 Sep 2020 13:11:16 -0500 Subject: [PATCH 17/32] Give our controller access to all our CRD types. Signed-off-by: Matt Moyer --- deploy/rbac.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index c0d5dddca..818453d84 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -47,8 +47,8 @@ rules: - apiGroups: [""] resources: [secrets] verbs: [create, get, list, patch, update, watch, delete] - - apiGroups: [crd.pinniped.dev] - resources: [credentialissuerconfigs] + - apiGroups: [crd.pinniped.dev, idp.pinniped.dev] + resources: ["*"] verbs: [create, get, list, update, watch] --- kind: RoleBinding From 2bdbac3e150167d0625c4e8b56635742f65d825b Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 9 Sep 2020 13:15:35 -0500 Subject: [PATCH 18/32] Move the ytt webhook config out into the CRD. Signed-off-by: Matt Moyer --- deploy/deployment.yaml | 3 --- deploy/webhook.yaml | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 deploy/webhook.yaml diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index 28acfcde7..03d56e0e3 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -29,9 +29,6 @@ data: pinniped.yaml: | discovery: url: (@= data.values.discovery_url or "null" @) - webhook: - url: (@= data.values.webhook_url @) - caBundle: (@= data.values.webhook_ca_bundle @) api: servingCertificate: durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @) diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml new file mode 100644 index 000000000..27a57defd --- /dev/null +++ b/deploy/webhook.yaml @@ -0,0 +1,16 @@ +#! Copyright 2020 VMware, Inc. +#! SPDX-License-Identifier: Apache-2.0 + +#@ load("@ytt:data", "data") + +apiVersion: idp.pinniped.dev/v1alpha1 +kind: WebhookIdentityProvider +metadata: + name: #@ data.values.app_name + "-webhook" + namespace: #@ data.values.namespace + labels: + app: #@ data.values.app_name +spec: + endpoint: #@ data.values.webhook_url + tls: + certificateAuthorityData: #@ data.values.webhook_ca_bundle From 80a23bd2fdb59a274f72275fb6f004ab69c303d1 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 9 Sep 2020 13:22:26 -0500 Subject: [PATCH 19/32] Rename "Webhook" to "TokenAuthenticator" in our REST handler and callers. Signed-off-by: Matt Moyer --- internal/apiserver/apiserver.go | 4 ++-- internal/registry/credentialrequest/rest.go | 12 ++++++------ internal/server/server.go | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/internal/apiserver/apiserver.go b/internal/apiserver/apiserver.go index 8d96de532..bf411d620 100644 --- a/internal/apiserver/apiserver.go +++ b/internal/apiserver/apiserver.go @@ -57,7 +57,7 @@ type Config struct { } type ExtraConfig struct { - Webhook authenticator.Token + TokenAuthenticator authenticator.Token Issuer credentialrequest.CertIssuer StartControllersPostStartHook func(ctx context.Context) } @@ -111,7 +111,7 @@ func (c completedConfig) New() (*PinnipedServer, error) { NegotiatedSerializer: Codecs, } - credentialRequestStorage := credentialrequest.NewREST(c.ExtraConfig.Webhook, c.ExtraConfig.Issuer) + credentialRequestStorage := credentialrequest.NewREST(c.ExtraConfig.TokenAuthenticator, c.ExtraConfig.Issuer) v1alpha1Storage, ok := apiGroupInfo.VersionedResourcesStorageMap[gvr.Version] if !ok { diff --git a/internal/registry/credentialrequest/rest.go b/internal/registry/credentialrequest/rest.go index 6c12a6bfd..626f39482 100644 --- a/internal/registry/credentialrequest/rest.go +++ b/internal/registry/credentialrequest/rest.go @@ -37,16 +37,16 @@ type CertIssuer interface { IssuePEM(subject pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error) } -func NewREST(webhook authenticator.Token, issuer CertIssuer) *REST { +func NewREST(tokenAuthenticator authenticator.Token, issuer CertIssuer) *REST { return &REST{ - webhook: webhook, - issuer: issuer, + tokenAuthenticator: tokenAuthenticator, + issuer: issuer, } } type REST struct { - webhook authenticator.Token - issuer CertIssuer + tokenAuthenticator authenticator.Token + issuer CertIssuer } func (r *REST) New() runtime.Object { @@ -78,7 +78,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation } }() - authResponse, authenticated, err := r.webhook.AuthenticateToken(cancelCtx, credentialRequest.Spec.Token.Value) + authResponse, authenticated, err := r.tokenAuthenticator.AuthenticateToken(cancelCtx, credentialRequest.Spec.Token.Value) if err != nil { traceFailureWithError(t, "webhook authentication", err) return failureResponse(), nil diff --git a/internal/server/server.go b/internal/server/server.go index 1dcdb8083..774c9e4ea 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -14,9 +14,9 @@ import ( "github.com/spf13/cobra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/authentication/authenticator" genericapiserver "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" - "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/klog/v2" @@ -241,7 +241,7 @@ func getClusterCASigner(ctx context.Context, serverInstallationNamespace string) // Create a configuration for the aggregated API server. func getAggregatedAPIServerConfig( dynamicCertProvider provider.DynamicTLSServingCertProvider, - webhookTokenAuthenticator *webhook.WebhookTokenAuthenticator, + tokenAuthenticator authenticator.Token, ca credentialrequest.CertIssuer, startControllersPostStartHook func(context.Context), ) (*apiserver.Config, error) { @@ -270,7 +270,7 @@ func getAggregatedAPIServerConfig( apiServerConfig := &apiserver.Config{ GenericConfig: serverConfig, ExtraConfig: apiserver.ExtraConfig{ - Webhook: webhookTokenAuthenticator, + TokenAuthenticator: tokenAuthenticator, Issuer: ca, StartControllersPostStartHook: startControllersPostStartHook, }, From 66f4e62c6c031931b8b802b409db1e2b9b1e32e1 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Fri, 11 Sep 2020 10:34:59 -0500 Subject: [PATCH 20/32] Add internal/mocks/mocktokenauthenticator generated mocks. Signed-off-by: Matt Moyer --- .../mocks/mocktokenauthenticator/generate.go | 8 +++ .../mocktokenauthenticator.go | 55 +++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 internal/mocks/mocktokenauthenticator/generate.go create mode 100644 internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go diff --git a/internal/mocks/mocktokenauthenticator/generate.go b/internal/mocks/mocktokenauthenticator/generate.go new file mode 100644 index 000000000..ab2bb834f --- /dev/null +++ b/internal/mocks/mocktokenauthenticator/generate.go @@ -0,0 +1,8 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package mocktokenauthenticator + +//go:generate go run -v github.com/golang/mock/mockgen -destination=mocktokenauthenticator.go -package=mocktokenauthenticator -copyright_file=../../../hack/header.txt k8s.io/apiserver/pkg/authentication/authenticator Token diff --git a/internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go b/internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go new file mode 100644 index 000000000..f08d4abff --- /dev/null +++ b/internal/mocks/mocktokenauthenticator/mocktokenauthenticator.go @@ -0,0 +1,55 @@ +// Copyright 2020 VMware, Inc. +// SPDX-License-Identifier: Apache-2.0 +// + +// Code generated by MockGen. DO NOT EDIT. +// Source: k8s.io/apiserver/pkg/authentication/authenticator (interfaces: Token) + +// Package mocktokenauthenticator is a generated GoMock package. +package mocktokenauthenticator + +import ( + context "context" + gomock "github.com/golang/mock/gomock" + authenticator "k8s.io/apiserver/pkg/authentication/authenticator" + reflect "reflect" +) + +// MockToken is a mock of Token interface +type MockToken struct { + ctrl *gomock.Controller + recorder *MockTokenMockRecorder +} + +// MockTokenMockRecorder is the mock recorder for MockToken +type MockTokenMockRecorder struct { + mock *MockToken +} + +// NewMockToken creates a new mock instance +func NewMockToken(ctrl *gomock.Controller) *MockToken { + mock := &MockToken{ctrl: ctrl} + mock.recorder = &MockTokenMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use +func (m *MockToken) EXPECT() *MockTokenMockRecorder { + return m.recorder +} + +// AuthenticateToken mocks base method +func (m *MockToken) AuthenticateToken(arg0 context.Context, arg1 string) (*authenticator.Response, bool, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "AuthenticateToken", arg0, arg1) + ret0, _ := ret[0].(*authenticator.Response) + ret1, _ := ret[1].(bool) + ret2, _ := ret[2].(error) + return ret0, ret1, ret2 +} + +// AuthenticateToken indicates an expected call of AuthenticateToken +func (mr *MockTokenMockRecorder) AuthenticateToken(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateToken", reflect.TypeOf((*MockToken)(nil).AuthenticateToken), arg0, arg1) +} From 6506a82b197d7b7dba88766af4842dd293d1f1c2 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 09:36:06 -0500 Subject: [PATCH 21/32] Add a cache of active IDPs, which implements authenticator.Token. Signed-off-by: Matt Moyer --- .../identityprovider/idpcache/cache.go | 77 +++++++++++++ .../identityprovider/idpcache/cache_test.go | 101 ++++++++++++++++++ 2 files changed, 178 insertions(+) create mode 100644 internal/controller/identityprovider/idpcache/cache.go create mode 100644 internal/controller/identityprovider/idpcache/cache_test.go diff --git a/internal/controller/identityprovider/idpcache/cache.go b/internal/controller/identityprovider/idpcache/cache.go new file mode 100644 index 000000000..0fddc2114 --- /dev/null +++ b/internal/controller/identityprovider/idpcache/cache.go @@ -0,0 +1,77 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package idpcache implements a cache of active identity providers. +package idpcache + +import ( + "context" + "fmt" + "sync" + + "k8s.io/apiserver/pkg/authentication/authenticator" + + "github.com/suzerain-io/pinniped/internal/controllerlib" +) + +var ( + // ErrNoIDPs is returned by Cache.AuthenticateToken() when there are no IDPs configured. + ErrNoIDPs = fmt.Errorf("no identity providers are loaded") + + // ErrIndeterminateIDP is returned by Cache.AuthenticateToken() when the correct IDP cannot be determined. + ErrIndeterminateIDP = fmt.Errorf("could not uniquely match against an identity provider") +) + +// Cache implements the authenticator.Token interface by multiplexing across a dynamic set of identity providers +// loaded from IDP resources. +type Cache struct { + cache sync.Map +} + +// New returns an empty cache. +func New() *Cache { + return &Cache{} +} + +// Store an identity provider into the cache. +func (c *Cache) Store(key controllerlib.Key, value authenticator.Token) { + c.cache.Store(key, value) +} + +// Delete an identity provider from the cache. +func (c *Cache) Delete(key controllerlib.Key) { + c.cache.Delete(key) +} + +// Keys currently stored in the cache. +func (c *Cache) Keys() []controllerlib.Key { + var result []controllerlib.Key + c.cache.Range(func(key, _ interface{}) bool { + result = append(result, key.(controllerlib.Key)) + return true + }) + return result +} + +// AuthenticateToken validates the provided token against the currently loaded identity providers. +func (c *Cache) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) { + var matchingIDPs []authenticator.Token + c.cache.Range(func(key, value interface{}) bool { + matchingIDPs = append(matchingIDPs, value.(authenticator.Token)) + return true + }) + + // Return an error if there are no known IDPs. + if len(matchingIDPs) == 0 { + return nil, false, ErrNoIDPs + } + + // For now, allow there to be only exactly one IDP (until we specify a good mechanism for selecting one). + if len(matchingIDPs) != 1 { + return nil, false, ErrIndeterminateIDP + } + + return matchingIDPs[0].AuthenticateToken(ctx, token) +} diff --git a/internal/controller/identityprovider/idpcache/cache_test.go b/internal/controller/identityprovider/idpcache/cache_test.go new file mode 100644 index 000000000..48b971b34 --- /dev/null +++ b/internal/controller/identityprovider/idpcache/cache_test.go @@ -0,0 +1,101 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package idpcache + +import ( + "context" + "testing" + + "github.com/golang/mock/gomock" + "github.com/stretchr/testify/require" + "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authentication/user" + + "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/mocks/mocktokenauthenticator" +) + +func TestCache(t *testing.T) { + t.Parallel() + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + tests := []struct { + name string + mockAuthenticators map[controllerlib.Key]func(*mocktokenauthenticator.MockToken) + wantResponse *authenticator.Response + wantAuthenticated bool + wantErr string + }{ + { + name: "no IDPs", + wantErr: "no identity providers are loaded", + }, + { + name: "multiple IDPs", + mockAuthenticators: map[controllerlib.Key]func(mockToken *mocktokenauthenticator.MockToken){ + controllerlib.Key{Namespace: "foo", Name: "idp-one"}: nil, + controllerlib.Key{Namespace: "foo", Name: "idp-two"}: nil, + }, + wantErr: "could not uniquely match against an identity provider", + }, + { + name: "success", + mockAuthenticators: map[controllerlib.Key]func(mockToken *mocktokenauthenticator.MockToken){ + controllerlib.Key{ + Namespace: "foo", + Name: "idp-one", + }: func(mockToken *mocktokenauthenticator.MockToken) { + mockToken.EXPECT().AuthenticateToken(ctx, "test-token").Return( + &authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}}, + true, + nil, + ) + }, + }, + wantResponse: &authenticator.Response{User: &user.DefaultInfo{Name: "test-user"}}, + wantAuthenticated: true, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + ctrl := gomock.NewController(t) + defer ctrl.Finish() + + cache := New() + require.NotNil(t, cache) + require.Implements(t, (*authenticator.Token)(nil), cache) + + for key, mockFunc := range tt.mockAuthenticators { + mockToken := mocktokenauthenticator.NewMockToken(ctrl) + if mockFunc != nil { + mockFunc(mockToken) + } + cache.Store(key, mockToken) + } + + require.Equal(t, len(tt.mockAuthenticators), len(cache.Keys())) + + resp, authenticated, err := cache.AuthenticateToken(ctx, "test-token") + require.Equal(t, tt.wantResponse, resp) + require.Equal(t, tt.wantAuthenticated, authenticated) + if tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + return + } + require.NoError(t, err) + + for _, key := range cache.Keys() { + cache.Delete(key) + } + require.Zero(t, len(cache.Keys())) + }) + } +} From acfc5acfb2757be3454fe07d72279be91a520ddb Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 10:41:36 -0500 Subject: [PATCH 22/32] Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer --- .../webhookcachefiller/webhookcachefiller.go | 127 +++++++++++++ .../webhookcachefiller_test.go | 174 ++++++++++++++++++ 2 files changed, 301 insertions(+) create mode 100644 internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go create mode 100644 internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go new file mode 100644 index 000000000..6b67d940e --- /dev/null +++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go @@ -0,0 +1,127 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookIdentityProvider. +package webhookcachefiller + +import ( + "encoding/base64" + "fmt" + "io/ioutil" + "os" + + "github.com/go-logr/logr" + k8sauthv1beta1 "k8s.io/api/authentication/v1beta1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/util/net" + "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + "k8s.io/klog/v2" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + idpinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp/v1alpha1" + pinnipedcontroller "github.com/suzerain-io/pinniped/internal/controller" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" +) + +// New instantiates a new controllerlib.Controller which will populate the provided idpcache.Cache. +func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller { + return controllerlib.New( + controllerlib.Config{ + Name: "webhookcachefiller-controller", + Syncer: &controller{ + cache: cache, + webhookIDPs: webhookIDPs, + log: log.WithName("webhookcachefiller-controller"), + }, + }, + controllerlib.WithInformer( + webhookIDPs, + pinnipedcontroller.NoOpFilter(), + controllerlib.InformerOption{}, + ), + ) +} + +type controller struct { + cache *idpcache.Cache + webhookIDPs idpinformers.WebhookIdentityProviderInformer + log logr.Logger +} + +// Sync implements controllerlib.Syncer. +func (c *controller) Sync(ctx controllerlib.Context) error { + obj, err := c.webhookIDPs.Lister().WebhookIdentityProviders(ctx.Key.Namespace).Get(ctx.Key.Name) + if err != nil && errors.IsNotFound(err) { + c.log.Info("Sync() found that the WebhookIdentityProvider does not exist yet or was deleted") + return nil + } + if err != nil { + return fmt.Errorf("failed to get WebhookIdentityProvider %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err) + } + + webhookAuthenticator, err := newWebhookAuthenticator(&obj.Spec, ioutil.TempFile, clientcmd.WriteToFile) + if err != nil { + return fmt.Errorf("failed to build webhook config: %w", err) + } + + c.cache.Store(ctx.Key, webhookAuthenticator) + c.log.WithValues("idp", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook IDP") + return nil +} + +// newWebhookAuthenticator creates a webhook from the provided API server url and caBundle +// used to validate TLS connections. +func newWebhookAuthenticator( + spec *idpv1alpha1.WebhookIdentityProviderSpec, + tempfileFunc func(string, string) (*os.File, error), + marshalFunc func(clientcmdapi.Config, string) error, +) (*webhook.WebhookTokenAuthenticator, error) { + temp, err := tempfileFunc("", "pinniped-webhook-kubeconfig-*") + if err != nil { + return nil, fmt.Errorf("unable to create temporary file: %w", err) + } + defer func() { _ = os.Remove(temp.Name()) }() + + cluster := &clientcmdapi.Cluster{Server: spec.Endpoint} + cluster.CertificateAuthorityData, err = getCABundle(spec.TLS) + if err != nil { + return nil, fmt.Errorf("invalid TLS configuration: %w", err) + } + + kubeconfig := clientcmdapi.NewConfig() + kubeconfig.Clusters["anonymous-cluster"] = cluster + kubeconfig.Contexts["anonymous"] = &clientcmdapi.Context{Cluster: "anonymous-cluster"} + kubeconfig.CurrentContext = "anonymous" + + if err := marshalFunc(*kubeconfig, temp.Name()); err != nil { + return nil, fmt.Errorf("unable to marshal kubeconfig: %w", err) + } + + // We use v1beta1 instead of v1 since v1beta1 is more prevalent in our desired + // integration points. + version := k8sauthv1beta1.SchemeGroupVersion.Version + + // At the current time, we don't provide any audiences because we simply don't + // have any requirements to do so. This can be changed in the future as + // requirements change. + var implicitAuds authenticator.Audiences + + // We set this to nil because we would only need this to support some of the + // custom proxy stuff used by the API server. + var customDial net.DialFunc + + return webhook.New(temp.Name(), version, implicitAuds, customDial) +} + +func getCABundle(spec *idpv1alpha1.TLSSpec) ([]byte, error) { + if spec == nil { + return nil, nil + } + return base64.RawStdEncoding.DecodeString(spec.CertificateAuthorityData) +} diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go new file mode 100644 index 000000000..c2d9fc171 --- /dev/null +++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go @@ -0,0 +1,174 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package webhookcachefiller + +import ( + "context" + "encoding/base64" + "fmt" + "io/ioutil" + "net/http" + "os" + "testing" + "time" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" + pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/testutil" + "github.com/suzerain-io/pinniped/internal/testutil/testlogger" +) + +func TestController(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + syncKey controllerlib.Key + webhookIDPs []runtime.Object + wantErr string + wantLogs []string + wantCacheEntries int + }{ + { + name: "not found", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + wantLogs: []string{ + `webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookIdentityProvider does not exist yet or was deleted"`, + }, + }, + { + name: "invalid webhook", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + webhookIDPs: []runtime.Object{ + &idpv1alpha1.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-namespace", + Name: "test-name", + }, + Spec: idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "invalid url", + }, + }, + }, + wantErr: `failed to build webhook config: parse "http://invalid url": invalid character " " in host name`, + }, + { + name: "valid webhook", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + webhookIDPs: []runtime.Object{ + &idpv1alpha1.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-namespace", + Name: "test-name", + }, + Spec: idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: ""}, + }, + }, + }, + wantLogs: []string{ + `webhookcachefiller-controller "level"=0 "msg"="added new webhook IDP" "endpoint"="https://example.com" "idp"={"name":"test-name","namespace":"test-namespace"}`, + }, + wantCacheEntries: 1, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + fakeClient := pinnipedfake.NewSimpleClientset(tt.webhookIDPs...) + informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0) + cache := idpcache.New() + testLog := testlogger.New(t) + + controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog) + + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + defer cancel() + + informers.Start(ctx.Done()) + controllerlib.TestRunSynchronously(t, controller) + + syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey} + + if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + } else { + require.NoError(t, err) + } + require.Equal(t, tt.wantLogs, testLog.Lines()) + require.Equal(t, tt.wantCacheEntries, len(cache.Keys())) + }) + } +} + +func TestNewWebhookAuthenticator(t *testing.T) { + t.Run("temp file failure", func(t *testing.T) { + brokenTempFile := func(_ string, _ string) (*os.File, error) { return nil, fmt.Errorf("some temp file error") } + res, err := newWebhookAuthenticator(nil, brokenTempFile, clientcmd.WriteToFile) + require.Nil(t, res) + require.EqualError(t, err, "unable to create temporary file: some temp file error") + }) + + t.Run("marshal failure", func(t *testing.T) { + marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") } + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError) + require.Nil(t, res) + require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error") + }) + + t.Run("invalid base64", func(t *testing.T) { + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"}, + }, ioutil.TempFile, clientcmd.WriteToFile) + require.Nil(t, res) + require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7") + }) + + t.Run("valid config with no TLS spec", func(t *testing.T) { + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + }, ioutil.TempFile, clientcmd.WriteToFile) + require.NotNil(t, res) + require.NoError(t, err) + }) + + t.Run("success", func(t *testing.T) { + caBundle, url := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { + body, err := ioutil.ReadAll(r.Body) + require.NoError(t, err) + require.Contains(t, string(body), "test-token") + _, err = w.Write([]byte(`{}`)) + require.NoError(t, err) + }) + spec := &idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: url, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityData: base64.RawStdEncoding.EncodeToString([]byte(caBundle)), + }, + } + res, err := newWebhookAuthenticator(spec, ioutil.TempFile, clientcmd.WriteToFile) + require.NoError(t, err) + require.NotNil(t, res) + + resp, authenticated, err := res.AuthenticateToken(context.Background(), "test-token") + require.NoError(t, err) + require.Nil(t, resp) + require.False(t, authenticated) + }) +} From 75ea0f48d9148352577b7bdfdb55cd4c946b26eb Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 10:42:42 -0500 Subject: [PATCH 23/32] Add a controller to clean up stale entries in the idpcache.Cache. Signed-off-by: Matt Moyer --- .../webhookcachecleaner.go | 70 ++++++++++ .../webhookcachecleaner_test.go | 128 ++++++++++++++++++ 2 files changed, 198 insertions(+) create mode 100644 internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go create mode 100644 internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go new file mode 100644 index 000000000..dd14de881 --- /dev/null +++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner.go @@ -0,0 +1,70 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package webhookcachecleaner implements a controller for garbage collectting webhook IDPs from an IDP cache. +package webhookcachecleaner + +import ( + "fmt" + + "github.com/go-logr/logr" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/klog/v2" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + idpinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp/v1alpha1" + pinnipedcontroller "github.com/suzerain-io/pinniped/internal/controller" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" +) + +// New instantiates a new controllerlib.Controller which will garbage collect webhooks from the provided Cache. +func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller { + return controllerlib.New( + controllerlib.Config{ + Name: "webhookcachecleaner-controller", + Syncer: &controller{ + cache: cache, + webhookIDPs: webhookIDPs, + log: log.WithName("webhookcachecleaner-controller"), + }, + }, + controllerlib.WithInformer( + webhookIDPs, + pinnipedcontroller.NoOpFilter(), + controllerlib.InformerOption{}, + ), + ) +} + +type controller struct { + cache *idpcache.Cache + webhookIDPs idpinformers.WebhookIdentityProviderInformer + log logr.Logger +} + +// Sync implements controllerlib.Syncer. +func (c *controller) Sync(ctx controllerlib.Context) error { + webhooks, err := c.webhookIDPs.Lister().List(labels.Everything()) + if err != nil { + return fmt.Errorf("failed to list WebhookIdentityProviders: %w", err) + } + + // Index the current webhooks by key. + webhooksByKey := map[controllerlib.Key]*idpv1alpha1.WebhookIdentityProvider{} + for _, webhook := range webhooks { + key := controllerlib.Key{Namespace: webhook.Namespace, Name: webhook.Name} + webhooksByKey[key] = webhook + } + + // Delete any entries from the cache which are no longer in the cluster. + for _, key := range c.cache.Keys() { + if _, exists := webhooksByKey[key]; !exists { + c.log.WithValues("idp", klog.KRef(key.Namespace, key.Name)).Info("deleting webhook IDP from cache") + c.cache.Delete(key) + } + } + return nil +} diff --git a/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go new file mode 100644 index 000000000..56a29bc6e --- /dev/null +++ b/internal/controller/identityprovider/webhookcachecleaner/webhookcachecleaner_test.go @@ -0,0 +1,128 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package webhookcachecleaner + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apiserver/pkg/authentication/authenticator" + + idpv1alpha "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" + pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/testutil/testlogger" +) + +func TestController(t *testing.T) { + t.Parallel() + + testKey1 := controllerlib.Key{Namespace: "test-namespace", Name: "test-name-one"} + testKey2 := controllerlib.Key{Namespace: "test-namespace", Name: "test-name-two"} + + tests := []struct { + name string + syncKey controllerlib.Key + webhookIDPs []runtime.Object + initialCache map[controllerlib.Key]authenticator.Token + wantErr string + wantLogs []string + wantCacheKeys []controllerlib.Key + }{ + { + name: "no change", + syncKey: testKey1, + initialCache: map[controllerlib.Key]authenticator.Token{testKey1: nil}, + webhookIDPs: []runtime.Object{ + &idpv1alpha.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testKey1.Namespace, + Name: testKey1.Name, + }, + }, + }, + wantCacheKeys: []controllerlib.Key{testKey1}, + }, + { + name: "IDPs not yet added", + syncKey: testKey1, + initialCache: nil, + webhookIDPs: []runtime.Object{ + &idpv1alpha.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testKey1.Namespace, + Name: testKey1.Name, + }, + }, + &idpv1alpha.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testKey2.Namespace, + Name: testKey2.Name, + }, + }, + }, + wantCacheKeys: []controllerlib.Key{}, + }, + { + name: "successful cleanup", + syncKey: testKey1, + initialCache: map[controllerlib.Key]authenticator.Token{ + testKey1: nil, + testKey2: nil, + }, + webhookIDPs: []runtime.Object{ + &idpv1alpha.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: testKey1.Namespace, + Name: testKey1.Name, + }, + }, + }, + wantLogs: []string{ + `webhookcachecleaner-controller "level"=0 "msg"="deleting webhook IDP from cache" "idp"={"name":"test-name-two","namespace":"test-namespace"}`, + }, + wantCacheKeys: []controllerlib.Key{testKey1}, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + fakeClient := pinnipedfake.NewSimpleClientset(tt.webhookIDPs...) + informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0) + cache := idpcache.New() + for k, v := range tt.initialCache { + cache.Store(k, v) + } + testLog := testlogger.New(t) + + controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog) + + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + defer cancel() + + informers.Start(ctx.Done()) + controllerlib.TestRunSynchronously(t, controller) + + syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey} + + if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + } else { + require.NoError(t, err) + } + require.Equal(t, tt.wantLogs, testLog.Lines()) + require.ElementsMatch(t, tt.wantCacheKeys, cache.Keys()) + }) + } +} From f7c9ae8ba36e9eb22f4b54bbfb5b3f424d663c28 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 10:47:16 -0500 Subject: [PATCH 24/32] Validate tokens using the new dynamic IDP cache instead of the static config. Signed-off-by: Matt Moyer --- .../controllermanager/prepare_controllers.go | 21 +++++++++++++++++++ internal/server/server.go | 11 +++++----- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go index dcb565fa1..fc8218868 100644 --- a/internal/controllermanager/prepare_controllers.go +++ b/internal/controllermanager/prepare_controllers.go @@ -14,11 +14,15 @@ import ( k8sinformers "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" + "k8s.io/klog/v2/klogr" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" "github.com/suzerain-io/pinniped/internal/controller/apicerts" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachecleaner" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachefiller" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controllerlib" "github.com/suzerain-io/pinniped/internal/provider" @@ -36,6 +40,7 @@ func PrepareControllers( dynamicCertProvider provider.DynamicTLSServingCertProvider, servingCertDuration time.Duration, servingCertRenewBefore time.Duration, + idpCache *idpcache.Cache, ) (func(ctx context.Context), error) { // Create k8s clients. k8sClient, aggregatorClient, pinnipedClient, err := createClients() @@ -104,6 +109,22 @@ func PrepareControllers( servingCertRenewBefore, ), singletonWorker, + ). + WithController( + webhookcachefiller.New( + idpCache, + installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(), + klogr.New(), + ), + singletonWorker, + ). + WithController( + webhookcachecleaner.New( + idpCache, + installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(), + klogr.New(), + ), + singletonWorker, ) // Return a function which starts the informers and controllers. diff --git a/internal/server/server.go b/internal/server/server.go index 774c9e4ea..64faa1d21 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -26,6 +26,7 @@ import ( pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned" "github.com/suzerain-io/pinniped/internal/apiserver" "github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" "github.com/suzerain-io/pinniped/internal/controller/issuerconfig" "github.com/suzerain-io/pinniped/internal/controllermanager" "github.com/suzerain-io/pinniped/internal/downward" @@ -118,11 +119,8 @@ func (a *App) runServer(ctx context.Context) error { } defer shutdownCA() - // Create a WebhookTokenAuthenticator. - webhookTokenAuthenticator, err := config.NewWebhook(cfg.WebhookConfig) - if err != nil { - return fmt.Errorf("could not create webhook client: %w", err) - } + // Initialize the cache of active identity providers. + idpCache := idpcache.New() // This cert provider will provide certs to the API server and will // be mutated by a controller to keep the certs up to date with what @@ -139,6 +137,7 @@ func (a *App) runServer(ctx context.Context) error { dynamicCertProvider, time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second, time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second, + idpCache, ) if err != nil { return fmt.Errorf("could not prepare controllers: %w", err) @@ -147,7 +146,7 @@ func (a *App) runServer(ctx context.Context) error { // Get the aggregated API server config. aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig( dynamicCertProvider, - webhookTokenAuthenticator, + idpCache, k8sClusterCA, startControllersFunc, ) From 8de046a561bc6909f54e49beb37ac57ef9c065e9 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 10:48:11 -0500 Subject: [PATCH 25/32] Remove static webhook config options. Signed-off-by: Matt Moyer --- pkg/config/api/types.go | 13 ---- pkg/config/config_test.go | 8 -- pkg/config/testdata/default.yaml | 3 - pkg/config/testdata/happy.yaml | 3 - .../invalid-duration-renew-before.yaml | 3 - .../testdata/negative-renew-before.yaml | 3 - pkg/config/testdata/zero-renew-before.yaml | 3 - pkg/config/webhook.go | 77 ------------------- pkg/config/webhook_test.go | 31 -------- 9 files changed, 144 deletions(-) delete mode 100644 pkg/config/webhook.go delete mode 100644 pkg/config/webhook_test.go diff --git a/pkg/config/api/types.go b/pkg/config/api/types.go index 81a8b1e14..1f5a80e38 100644 --- a/pkg/config/api/types.go +++ b/pkg/config/api/types.go @@ -7,23 +7,10 @@ package api // Config contains knobs to setup an instance of pinniped. type Config struct { - WebhookConfig WebhookConfigSpec `json:"webhook"` DiscoveryInfo DiscoveryInfoSpec `json:"discovery"` APIConfig APIConfigSpec `json:"api"` } -// WebhookConfig contains configuration knobs specific to pinniped's use -// of a webhook for token validation. -type WebhookConfigSpec struct { - // URL contains the URL of the webhook that pinniped will use - // to validate external credentials. - URL string `json:"url"` - - // CABundle contains PEM-encoded certificate authority certificates used - // to validate TLS connections to the WebhookURL. - CABundle []byte `json:"caBundle"` -} - // DiscoveryInfoSpec contains configuration knobs specific to // pinniped's publishing of discovery information. These values can be // viewed as overrides, i.e., if these are set, then pinniped will diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index e22a1255b..e188910d1 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -27,10 +27,6 @@ func TestFromPath(t *testing.T) { DiscoveryInfo: api.DiscoveryInfoSpec{ URL: stringPtr("https://some.discovery/url"), }, - WebhookConfig: api.WebhookConfigSpec{ - URL: "https://tuna.com/fish?marlin", - CABundle: []byte("-----BEGIN CERTIFICATE-----..."), - }, APIConfig: api.APIConfigSpec{ ServingCertificateConfig: api.ServingCertificateConfigSpec{ DurationSeconds: int64Ptr(3600), @@ -46,10 +42,6 @@ func TestFromPath(t *testing.T) { DiscoveryInfo: api.DiscoveryInfoSpec{ URL: nil, }, - WebhookConfig: api.WebhookConfigSpec{ - URL: "https://tuna.com/fish?marlin", - CABundle: []byte("-----BEGIN CERTIFICATE-----..."), - }, APIConfig: api.APIConfigSpec{ ServingCertificateConfig: api.ServingCertificateConfigSpec{ DurationSeconds: int64Ptr(60 * 60 * 24 * 365), // about a year diff --git a/pkg/config/testdata/default.yaml b/pkg/config/testdata/default.yaml index 234d9de84..ed97d539c 100644 --- a/pkg/config/testdata/default.yaml +++ b/pkg/config/testdata/default.yaml @@ -1,4 +1 @@ --- -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u diff --git a/pkg/config/testdata/happy.yaml b/pkg/config/testdata/happy.yaml index f769cb834..3ed3c18a8 100644 --- a/pkg/config/testdata/happy.yaml +++ b/pkg/config/testdata/happy.yaml @@ -1,9 +1,6 @@ --- discovery: url: https://some.discovery/url -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u api: servingCertificate: durationSeconds: 3600 diff --git a/pkg/config/testdata/invalid-duration-renew-before.yaml b/pkg/config/testdata/invalid-duration-renew-before.yaml index 83d1eaa6d..0c2ac2552 100644 --- a/pkg/config/testdata/invalid-duration-renew-before.yaml +++ b/pkg/config/testdata/invalid-duration-renew-before.yaml @@ -1,7 +1,4 @@ --- -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u api: servingCertificate: durationSeconds: 2400 diff --git a/pkg/config/testdata/negative-renew-before.yaml b/pkg/config/testdata/negative-renew-before.yaml index 97481414a..bcc483d68 100644 --- a/pkg/config/testdata/negative-renew-before.yaml +++ b/pkg/config/testdata/negative-renew-before.yaml @@ -1,7 +1,4 @@ --- -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u api: servingCertificate: durationSeconds: 2400 diff --git a/pkg/config/testdata/zero-renew-before.yaml b/pkg/config/testdata/zero-renew-before.yaml index 97481414a..bcc483d68 100644 --- a/pkg/config/testdata/zero-renew-before.yaml +++ b/pkg/config/testdata/zero-renew-before.yaml @@ -1,7 +1,4 @@ --- -webhook: - url: https://tuna.com/fish?marlin - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u api: servingCertificate: durationSeconds: 2400 diff --git a/pkg/config/webhook.go b/pkg/config/webhook.go deleted file mode 100644 index b359b25af..000000000 --- a/pkg/config/webhook.go +++ /dev/null @@ -1,77 +0,0 @@ -/* -Copyright 2020 VMware, Inc. -SPDX-License-Identifier: Apache-2.0 -*/ - -package config - -import ( - "fmt" - "io" - "io/ioutil" - "os" - - authenticationv1beta1 "k8s.io/api/authentication/v1beta1" - utilnet "k8s.io/apimachinery/pkg/util/net" - "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" - "k8s.io/client-go/tools/clientcmd" - clientcmdapi "k8s.io/client-go/tools/clientcmd/api" - - "github.com/suzerain-io/pinniped/pkg/config/api" -) - -// NewWebhook creates a webhook from the provided API server url and caBundle -// used to validate TLS connections. -func NewWebhook(spec api.WebhookConfigSpec) (*webhook.WebhookTokenAuthenticator, error) { - kubeconfig, err := ioutil.TempFile("", "pinniped-webhook-kubeconfig-*") - if err != nil { - return nil, fmt.Errorf("create temp file: %w", err) - } - defer os.Remove(kubeconfig.Name()) - - if err := anonymousKubeconfig(spec.URL, spec.CABundle, kubeconfig); err != nil { - return nil, fmt.Errorf("anonymous kubeconfig: %w", err) - } - - // We use v1beta1 instead of v1 since v1beta1 is more prevalent in our desired - // integration points. - version := authenticationv1beta1.SchemeGroupVersion.Version - - // At the current time, we don't provide any audiences because we simply don't - // have any requirements to do so. This can be changed in the future as - // requirements change. - var implicitAuds authenticator.Audiences - - // We set this to nil because we would only need this to support some of the - // custom proxy stuff used by the API server. - var customDial utilnet.DialFunc - - return webhook.New(kubeconfig.Name(), version, implicitAuds, customDial) -} - -// anonymousKubeconfig writes a kubeconfig file to the provided io.Writer that -// will "use" anonymous auth to talk to a Kube API server at the provided url -// with the provided caBundle. -func anonymousKubeconfig(url string, caBundle []byte, out io.Writer) error { - config := clientcmdapi.NewConfig() - config.Clusters["anonymous-cluster"] = &clientcmdapi.Cluster{ - Server: url, - CertificateAuthorityData: caBundle, - } - config.Contexts["anonymous"] = &clientcmdapi.Context{ - Cluster: "anonymous-cluster", - } - config.CurrentContext = "anonymous" - - data, err := clientcmd.Write(*config) - if err != nil { - return fmt.Errorf("marshal config: %w", err) - } - - if _, err := out.Write(data); err != nil { - return fmt.Errorf("write config: %w", err) - } - - return nil -} diff --git a/pkg/config/webhook_test.go b/pkg/config/webhook_test.go deleted file mode 100644 index 3ba33cda9..000000000 --- a/pkg/config/webhook_test.go +++ /dev/null @@ -1,31 +0,0 @@ -/* -Copyright 2020 VMware, Inc. -SPDX-License-Identifier: Apache-2.0 -*/ - -package config - -import ( - "io/ioutil" - "os" - "testing" - - "github.com/stretchr/testify/require" - "k8s.io/client-go/tools/clientcmd" -) - -func TestAnonymousKubeconfig(t *testing.T) { - expect := require.New(t) - - f, err := ioutil.TempFile("", "pinniped-anonymous-kubeconfig-test-*") - expect.NoError(err) - defer os.Remove(f.Name()) - - err = anonymousKubeconfig("https://tuna.com", []byte("ca bundle"), f) - expect.NoError(err) - - config, err := clientcmd.BuildConfigFromFlags("", f.Name()) - expect.NoError(err) - - expect.Equal("https://tuna.com", config.Host) -} From a22b414b5882d92ed41de8fde91af85c62332724 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Tue, 15 Sep 2020 11:12:31 -0400 Subject: [PATCH 26/32] MAINTAINERS.md: add initial draft Signed-off-by: Andrew Keesler --- MAINTAINERS.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 MAINTAINERS.md diff --git a/MAINTAINERS.md b/MAINTAINERS.md new file mode 100644 index 000000000..bc80e218b --- /dev/null +++ b/MAINTAINERS.md @@ -0,0 +1,17 @@ +# Pinniped Maintainers + +This is the current list of maintainers for the Pinniped project. + +| Maintainer | GitHub ID | Affiliation | +| --------------- | --------- | ----------- | +| Andrew Keesler | [ankeesler](https://github.com/ankeesler) | [VMware](https://www.github.com/vmware/) | +| Matt Moyer | [mattmoyer](https://github.com/mattmoyer) | [VMware](https://www.github.com/vmware/) | +| Pablo Schuhmacher | [pabloschuhmacher](https://github.com/pabloschuhmacher) | [VMware](https://www.github.com/vmware/) | +| Ryan Richard | [cfryanr](https://github.com/cfryanr) | [VMware](https://www.github.com/vmware/) | + +## Pinniped Contributors & Stakeholders + +| Feature Area | Lead | +| ----------------------------- | :---------------------: | +| Technical Lead | Matt Moyer (mattmoyer) | +| Product Management | Pablo Schuhmacher (pabloschuhmacher) | From b39160e4c400a79fa4fb6c20b18b48e711d65b36 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 15 Sep 2020 12:04:46 -0500 Subject: [PATCH 27/32] Add some log output to TestCredentialIssuerConfig for troubleshooting. Signed-off-by: Matt Moyer --- test/integration/credentialissuerconfig_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/integration/credentialissuerconfig_test.go b/test/integration/credentialissuerconfig_test.go index 22478d91b..cacfe1ddd 100644 --- a/test/integration/credentialissuerconfig_test.go +++ b/test/integration/credentialissuerconfig_test.go @@ -36,6 +36,10 @@ func TestCredentialIssuerConfig(t *testing.T) { CredentialIssuerConfigs(namespaceName). List(ctx, metav1.ListOptions{}) require.NoError(t, err) + for _, config := range actualConfigList.Items { + t.Logf("found CredentialIssuerConfig: %+v", config) + } + require.Len(t, actualConfigList.Items, 1) actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo From 1c7b3c30722b127c8680976a65fb76d5a78cbb3f Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 15 Sep 2020 13:54:19 -0500 Subject: [PATCH 28/32] Fix base64 encoding style in webhookcachefiller. This was previously using the unpadded (raw) base64 encoder, which worked sometimes (if the CA happened to be a length that didn't require padding). The correct encoding is the `base64.StdEncoding` one that includes padding. Signed-off-by: Matt Moyer --- .../identityprovider/webhookcachefiller/webhookcachefiller.go | 2 +- .../webhookcachefiller/webhookcachefiller_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go index 6b67d940e..867ba6dc4 100644 --- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go +++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go @@ -123,5 +123,5 @@ func getCABundle(spec *idpv1alpha1.TLSSpec) ([]byte, error) { if spec == nil { return nil, nil } - return base64.RawStdEncoding.DecodeString(spec.CertificateAuthorityData) + return base64.StdEncoding.DecodeString(spec.CertificateAuthorityData) } diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go index c2d9fc171..82e4fa35f 100644 --- a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go +++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go @@ -159,7 +159,7 @@ func TestNewWebhookAuthenticator(t *testing.T) { spec := &idpv1alpha1.WebhookIdentityProviderSpec{ Endpoint: url, TLS: &idpv1alpha1.TLSSpec{ - CertificateAuthorityData: base64.RawStdEncoding.EncodeToString([]byte(caBundle)), + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)), }, } res, err := newWebhookAuthenticator(spec, ioutil.TempFile, clientcmd.WriteToFile) From cecd691a841188f9838191bb22412c743add9530 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 15 Sep 2020 12:10:20 -0700 Subject: [PATCH 29/32] Add demo instructions Signed-off-by: Andrew Keesler --- README.md | 4 + deploy-local-user-authenticator/README.md | 5 +- deploy/README.md | 5 +- doc/demo.md | 115 ++++++++++++++++++++++ 4 files changed, 125 insertions(+), 4 deletions(-) create mode 100644 doc/demo.md diff --git a/README.md b/README.md index c53a2f3aa..63cf38008 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,10 @@ built with the [Pinniped Go client library](generated). ![implementation](doc/img/pinniped.svg) +## Trying Pinniped + +Care to kick the tires? It's easy to [install and try Pinniped](doc/demo.md). + ## Installation Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod diff --git a/deploy-local-user-authenticator/README.md b/deploy-local-user-authenticator/README.md index a4f4b88fa..c305e1133 100644 --- a/deploy-local-user-authenticator/README.md +++ b/deploy-local-user-authenticator/README.md @@ -14,8 +14,9 @@ User accounts can be created and edited dynamically using `kubectl` commands (se ## Tools -This example deployment uses `ytt` from [Carvel](https://carvel.dev/) to template the YAML files. -Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). +This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files +and to deploy the app. +Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). As well, this demo requires a tool capable of generating a `bcrypt` hash in order to interact with the webhook. The example below uses `htpasswd`, which is installed on most macOS systems, and can be diff --git a/deploy/README.md b/deploy/README.md index 96b0c344b..005647ef2 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -9,8 +9,9 @@ for details. ## Tools -This example deployment uses `ytt` from [Carvel](https://carvel.dev/) to template the YAML files. -Either [install `ytt`](https://get-ytt.io/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). +This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files +and to deploy the app. +Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). ## Procedure diff --git a/doc/demo.md b/doc/demo.md new file mode 100644 index 000000000..8ffb93f8d --- /dev/null +++ b/doc/demo.md @@ -0,0 +1,115 @@ +# Trying Pinniped + +## Prerequisites + +1. A Kubernetes cluster of a type supported by Pinniped. + Currently, Pinniped supports self-hosted clusters where the Kube Controller Manager pod + is accessible from Pinniped's pods. + Support for other types of Kubernetes distributions is coming soon. + + Don't have a cluster handy? Consider using [kind](https://kind.sigs.k8s.io/) on your local machine. + See below for an example of using kind. + +1. A kubeconfig where the current context points to that cluster and has admin-like + privileges on that cluster. + + Don't have an identity provider of a type supported by Pinniped handy? + Start by installing `local-user-authenticator` on the same cluster where you would like to try Pinniped + by following the directions in [deploy-local-user-authenticator/README.md](../deploy-local-user-authenticator/README.md). + See below for an example of deploying this on kind. + +## Steps + +### General Steps + +1. Install Pinniped by following the directions in [deploy/README.md](../deploy/README.md). +1. Download the Pinniped CLI from [Pinniped's github Releases page](https://github.com/suzerain-io/pinniped/releases/latest). +1. Generate a kubeconfig using the Pinniped CLI. Run `pinniped get-kubeconfig --help` for more information. +1. Run `kubectl` commands using the generated kubeconfig to authenticate using Pinniped during those commands. + +### Specific Example of Deploying on kind Using `local-user-authenticator` as the Identity Provider + +1. Install the tools required for the following steps. + + - This example deployment uses `ytt` and `kapp` from [Carvel](https://carvel.dev/) to template the YAML files + and to deploy the app. + Either [install `ytt` and `kapp`](https://carvel.dev/) or use the [container image from Dockerhub](https://hub.docker.com/r/k14s/image/tags). + E.g. `brew install k14s/tap/ytt k14s/tap/kapp` on a Mac. + + - [Install kind](https://kind.sigs.k8s.io/docs/user/quick-start/), if not already installed. e.g. `brew install kind` on a Mac. + + - kind depends on Docker. If not already installed, [install Docker](https://docs.docker.com/get-docker/), e.g. `brew cask install docker` on a Mac. + + - This demo requires `kubectl`, which comes with Docker, or can be [installed separately](https://kubernetes.io/docs/tasks/tools/install-kubectl/). + + - This demo requires a tool capable of generating a `bcrypt` hash in order to interact with + the webhook. The example below uses `htpasswd`, which is installed on most macOS systems, and can be + installed on some Linux systems via the `apache2-utils` package (e.g., `apt-get install + apache2-utils`). + +1. Create a new Kubernetes cluster using `kind create cluster`. Optionally provide a cluster name using the `--name` flag. + kind will automatically update your kubeconfig to point to the new cluster. + +1. Clone this repo. + + ```bash + git clone https://github.com/suzerain-io/pinniped.git /tmp/pinniped --depth 1 + ``` + +1. Deploy the `local-user-authenticator` app: + + ```bash + cd /tmp/pinniped/deploy-local-user-authenticator + ytt --file . | kapp deploy --yes --app local-user-authenticator --diff-changes --file - + ``` + +1. Create a test user. + + ```bash + kubectl create secret generic pinny-the-seal \ + --namespace local-user-authenticator \ + --from-literal=groups=group1,group2 \ + --from-literal=passwordHash=$(htpasswd -nbBC 10 x password123 | sed -e "s/^x://") + ``` + +1. Fetch the auto-generated CA bundle for the `local-user-authenticator`'s HTTP TLS endpoint. + + ```bash + kubectl get secret api-serving-cert --namespace local-user-authenticator \ + -o jsonpath={.data.caCertificate} \ + | base64 -d \ + | tee /tmp/local-user-authenticator-ca + ``` +1. Deploy Pinniped. + + ```bash + cd /tmp/pinniped/deploy + ytt --file . | kapp deploy --yes --app pinniped --diff-changes --file - \ + --data-value "webhook_url=https://local-user-authenticator.local-user-authenticator.svc/authenticate" \ + --data-value "webhook_ca_bundle=$(cat /tmp/local-user-authenticator-ca)" + ``` + +1. Download the latest version of the Pinniped CLI binary for your platform + from [Pinniped's github Releases page](https://github.com/suzerain-io/pinniped/releases/latest). + +1. Move the Pinniped CLI binary to your preferred directory and add the executable bit, + e.g. `chmod +x /usr/local/bin/pinniped`. + +1. Generate a kubeconfig. + + ```bash + pinniped get-kubeconfig --token "pinny-the-seal:password123" > /tmp/pinniped-kubeconfig + ``` + +1. Create RBAC rules for the test user to give them permissions to perform actions on the cluster. + For example, grant the test user permission to view all cluster resources. + + ```bash + kubectl create clusterrolebinding pinny-can-read --clusterrole view --user pinny-the-seal + ``` + +1. Use the generated kubeconfig to issue arbitrary `kubectl` commands as the `pinny-the-seal` user. + + ```bash + kubectl --kubeconfig /tmp/pinniped-kubeconfig get pods -n pinniped + ``` From 12f0997193edbad314de3e7396941a79fc45dd86 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 15 Sep 2020 13:52:08 -0500 Subject: [PATCH 30/32] Wait for informers to sync before we pass readiness check. Signed-off-by: Matt Moyer --- internal/controllermanager/prepare_controllers.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go index fc8218868..282d17bae 100644 --- a/internal/controllermanager/prepare_controllers.go +++ b/internal/controllermanager/prepare_controllers.go @@ -133,6 +133,10 @@ func PrepareControllers( installationNamespaceK8sInformers.Start(ctx.Done()) installationNamespacePinnipedInformers.Start(ctx.Done()) + kubePublicNamespaceK8sInformers.WaitForCacheSync(ctx.Done()) + installationNamespaceK8sInformers.WaitForCacheSync(ctx.Done()) + installationNamespacePinnipedInformers.WaitForCacheSync(ctx.Done()) + go controllerManager.Start(ctx) }, nil } From 92372d20a9c1646a270859f4f68bd70fd827fd85 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 15 Sep 2020 13:57:35 -0500 Subject: [PATCH 31/32] Tidy go.mod/go.sum. I accidentally missed this in bbef017989f6dab720b85f033479ea044501e7d6 and it's not currently part of our CI linting. Signed-off-by: Matt Moyer --- go.mod | 1 - go.sum | 38 -------------------------------------- 2 files changed, 39 deletions(-) diff --git a/go.mod b/go.mod index 5d8e7db8f..bc2905c57 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,6 @@ require ( github.com/davecgh/go-spew v1.1.1 github.com/go-logr/logr v0.2.1 github.com/go-logr/stdr v0.2.0 - github.com/go-logr/zapr v0.2.0 // indirect github.com/golang/mock v1.4.4 github.com/golangci/golangci-lint v1.31.0 github.com/google/go-cmp v0.5.2 diff --git a/go.sum b/go.sum index 570aaaa05..0b7469e09 100644 --- a/go.sum +++ b/go.sum @@ -98,8 +98,6 @@ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfc github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/daixiang0/gci v0.0.0-20200727065011-66f1df783cb2 h1:3Lhhps85OdA8ezsEKu+IA1hE+DBTjt/fjd7xNCrHbVA= -github.com/daixiang0/gci v0.0.0-20200727065011-66f1df783cb2/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4= github.com/daixiang0/gci v0.2.4 h1:BUCKk5nlK2m+kRIsoj+wb/5hazHvHeZieBKWd9Afa8Q= github.com/daixiang0/gci v0.2.4/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -133,15 +131,12 @@ github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWo github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/go-critic/go-critic v0.5.0 h1:Ic2p5UCl5fX/2WX2w8nroPpPhxRNsNTMlJzsu/uqwnM= -github.com/go-critic/go-critic v0.5.0/go.mod h1:4jeRh3ZAVnRYhuWdOEvwzVqLUpxMSoAT0xZ74JsTPlo= github.com/go-critic/go-critic v0.5.2 h1:3RJdgf6u4NZUumoP8nzbqiiNT8e1tC2Oc7jlgqre/IA= github.com/go-critic/go-critic v0.5.2/go.mod h1:cc0+HvdE3lFpqLecgqMaJcvWWH77sLdBp+wLGPM1Yyo= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= -github.com/go-lintpack/lintpack v0.5.2/go.mod h1:NwZuYi2nUHho8XEIZ6SIxihrnPoqBTDqfpXvXAN0sXM= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= @@ -151,8 +146,6 @@ github.com/go-logr/logr v0.2.1 h1:fV3MLmabKIZ383XifUjFSwcoGee0v9qgPp8wy5svibE= github.com/go-logr/logr v0.2.1/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/stdr v0.2.0 h1:EuTFw3BCZ6H/+1VNFlOLVK/sPKwmGMLx8/FTOFWuXpU= github.com/go-logr/stdr v0.2.0/go.mod h1:NO1vneyJDqKVgJYnxhwXWWmQPOvNM391IG3H8ql3jiA= -github.com/go-logr/zapr v0.2.0 h1:v6Ji8yBW77pva6NkJKQdHLAJKrIJKRHz0RXwPqCHSR4= -github.com/go-logr/zapr v0.2.0/go.mod h1:qhKdvif7YF5GI9NWEpyxTSSBdGmzkNguibrdCNVPunU= github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8= github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= @@ -179,17 +172,13 @@ github.com/go-toolsmith/astcast v1.0.0 h1:JojxlmI6STnFVG9yOImLeGREv8W2ocNUM+iOhR github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4= github.com/go-toolsmith/astcopy v1.0.0 h1:OMgl1b1MEpjFQ1m5ztEO06rz5CUd3oBv9RF7+DyvdG8= github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ= -github.com/go-toolsmith/astequal v0.0.0-20180903214952-dcb477bfacd6/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= github.com/go-toolsmith/astequal v1.0.0 h1:4zxD8j3JRFNyLN46lodQuqz3xdKSrur7U/sr0SDS/gQ= github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY= -github.com/go-toolsmith/astfmt v0.0.0-20180903215011-8f8ee99c3086/go.mod h1:mP93XdblcopXwlyN4X4uodxXQhldPGZbcEJIimQHrkg= github.com/go-toolsmith/astfmt v1.0.0 h1:A0vDDXt+vsvLEdbMFJAUBI/uTbRw1ffOPnxsILnFL6k= github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw= github.com/go-toolsmith/astinfo v0.0.0-20180906194353-9809ff7efb21/go.mod h1:dDStQCHtmZpYOmjRP/8gHHnCCch3Zz3oEgCdZVdtweU= -github.com/go-toolsmith/astp v0.0.0-20180903215135-0af7e3c24f30/go.mod h1:SV2ur98SGypH1UjcPpCatrV5hPazG6+IfNHbkDXBRrk= github.com/go-toolsmith/astp v1.0.0 h1:alXE75TXgcmupDsMK1fRAy0YUzLzqPVvBKoyWV+KPXg= github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI= -github.com/go-toolsmith/pkgload v0.0.0-20181119091011-e9e65178eee8/go.mod h1:WoMrjiy4zvdS+Bg6z9jZH82QXwkcgCBX6nOfnmdaHks= github.com/go-toolsmith/pkgload v1.0.0 h1:4DFWWMXVfbcN5So1sBNW9+yeiMqLFGl1wFLTL5R0Tgg= github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Ilcwuh3clNrQJc= github.com/go-toolsmith/strparse v1.0.0 h1:Vcw78DnpCAKlM20kSbAyO4mPfJn/lyYA4BJUDxe2Jb4= @@ -201,8 +190,6 @@ github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/gofrs/flock v0.7.1 h1:DP+LD/t0njgoPBvT5MJLeliUIVQR03hiKR6vezdwHlc= -github.com/gofrs/flock v0.7.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/flock v0.8.0 h1:MSdYClljsF3PbENUUEx85nkWfJSGfzYI9yEBZOJz6CY= github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -248,8 +235,6 @@ github.com/golangci/gocyclo v0.0.0-20180528144436-0a533e8fa43d h1:pXTK/gkVNs7Zyy github.com/golangci/gocyclo v0.0.0-20180528144436-0a533e8fa43d/go.mod h1:ozx7R9SIwqmqf5pRP90DhR2Oay2UIjGuKheCBCNwAYU= github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a h1:iR3fYXUjHCR97qWS8ch1y9zPNsgXThGwjKPrYfqMPks= github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU= -github.com/golangci/golangci-lint v1.30.0 h1:UhdK5WbO0GBd7W+k2lOD7BEJH4Wsa7zKfw8m3/aEJGQ= -github.com/golangci/golangci-lint v1.30.0/go.mod h1:5t0i3wHlqQc9deBBvZsP+a/4xz7cfjV+zhp5U0Mzp14= github.com/golangci/golangci-lint v1.31.0 h1:+m9I3LEmxXLpymkXRPkDQGzOVBmBYm16UtDiXqZxWek= github.com/golangci/golangci-lint v1.31.0/go.mod h1:aMQuNCA+NDU5+4jLL5pEuFHoue0IznKE2+/GsFvvs8A= github.com/golangci/ineffassign v0.0.0-20190609212857-42439a7714cc h1:gLLhTLMk2/SutryVJ6D4VZCU3CUqr8YloG7FPIBWFpI= @@ -362,8 +347,6 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.10.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= -github.com/klauspost/compress v1.10.5/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.10.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -440,8 +423,6 @@ github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d h1:AREM5mwr4u1 github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nishanths/exhaustive v0.0.0-20200708172631-8866003e3856 h1:W3KBC2LFyfgd+wNudlfgCCsTo4q97MeNWrfz8/wSdSc= -github.com/nishanths/exhaustive v0.0.0-20200708172631-8866003e3856/go.mod h1:wBEpHwM2OdmeNpdCvRPUlkEbBuaFmcK4Wv8Q7FuGW3c= github.com/nishanths/exhaustive v0.0.0-20200811152831-6cf413ae40e0 h1:eMV1t2NQRc3r1k3guWiv/zEeqZZP6kPvpUfy6byfL1g= github.com/nishanths/exhaustive v0.0.0-20200811152831-6cf413ae40e0/go.mod h1:wBEpHwM2OdmeNpdCvRPUlkEbBuaFmcK4Wv8Q7FuGW3c= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= @@ -496,8 +477,6 @@ github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFB github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= -github.com/quasilyte/go-ruleguard v0.1.2-0.20200318202121-b00d7a75d3d8 h1:DvnesvLtRPQOvaUbfXfh0tpMHg29by0H7F2U+QIkSu8= -github.com/quasilyte/go-ruleguard v0.1.2-0.20200318202121-b00d7a75d3d8/go.mod h1:CGFX09Ci3pq9QZdj86B+VGIdNj4VyCo2iPOGS9esB/k= github.com/quasilyte/go-ruleguard v0.2.0 h1:UOVMyH2EKkxIfzrULvA9n/tO+HtEhqD9mrLSWMr5FwU= github.com/quasilyte/go-ruleguard v0.2.0/go.mod h1:2RT/tf0Ce0UDj5y243iWKosQogJd8+1G3Rs2fxmlYnw= github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95 h1:L8QM9bvf68pVdQ3bCFZMDmnt9yqcMBro1pC7F+IPYMY= @@ -538,8 +517,6 @@ github.com/soheilhy/cmux v0.1.4 h1:0HKaf1o97UwFjHH9o5XsHUOF+tqmdA7KEzXLpiyaw0E= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/sonatard/noctx v0.0.1 h1:VC1Qhl6Oxx9vvWo3UDgrGXYCeKCe3Wbw7qAWL6FrmTY= github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4lqBjiZI= -github.com/sourcegraph/go-diff v0.5.3 h1:lhIKJ2nXLZZ+AfbHpYxTn0pXpNTTui0DX7DO3xeb1Zs= -github.com/sourcegraph/go-diff v0.5.3/go.mod h1:v9JDtjCE4HHHCZGId75rg8gkKKa98RVjBcBGsVmMmak= github.com/sourcegraph/go-diff v0.6.0 h1:WbN9e/jD8ujU+o0vd9IFN5AEwtfB0rn/zM/AANaClqQ= github.com/sourcegraph/go-diff v0.6.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= @@ -559,12 +536,8 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= -github.com/spf13/viper v1.7.0 h1:xVKxvI7ouOI5I+U9s2eeiUfMaWBVoXA3AWskkrqK0VM= -github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= github.com/spf13/viper v1.7.1 h1:pM5oEahlgWv/WnHXpgbKz7iLIxRf65tye2Ci+XFK5sk= github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/ssgreg/nlreturn/v2 v2.0.1 h1:+lm6xFjVuNw/9t/Fh5sIwfNWefiD5bddzc6vwJ1TvRI= -github.com/ssgreg/nlreturn/v2 v2.0.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/ssgreg/nlreturn/v2 v2.1.0 h1:6/s4Rc49L6Uo6RLjhWZGBpWWjfzk2yrf1nIW8m4wgVA= github.com/ssgreg/nlreturn/v2 v2.1.0/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -591,8 +564,6 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa h1:RC4maTWLKKwb7p1cnoygsbKIgNlJqSYBeAFON3Ar8As= github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/ultraware/funlen v0.0.2 h1:Av96YVBwwNSe4MLR7iI/BIa3VyI7/djnto/pK3Uxbdo= -github.com/ultraware/funlen v0.0.2/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= github.com/ultraware/funlen v0.0.3 h1:5ylVWm8wsNwH5aWo9438pwvsK0QiqVuUrt9bn7S/iLA= github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA= github.com/ultraware/whitespace v0.0.4 h1:If7Va4cM03mpgrNH9k49/VOicWpGoG70XPBFFODYDsg= @@ -601,9 +572,7 @@ github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijb github.com/uudashr/gocognit v1.0.1 h1:MoG2fZ0b/Eo7NXoIwCVFLG5JED3qgQz5/NEE+rOsjPs= github.com/uudashr/gocognit v1.0.1/go.mod h1:j44Ayx2KW4+oB6SWMv8KsmHzZrOInQav7D3cQMJ5JUM= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= -github.com/valyala/fasthttp v1.12.0/go.mod h1:229t1eWu9UXTPmoUkbpN/fctKPBY4IJoFXQnxHGXy6E= github.com/valyala/fasthttp v1.15.1/go.mod h1:YOKImeEosDdBPnxc0gy7INqi3m1zK6A+xl6TwOBhHCA= -github.com/valyala/quicktemplate v1.5.1/go.mod h1:v7yYWpBEiutDyNfVaph6oC/yKwejzVyTX/2cwwHxyok= github.com/valyala/quicktemplate v1.6.2/go.mod h1:mtEJpQtUiBV0SHhMX6RtiJtqxncgrfmjcUy5T68X8TM= github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= @@ -626,7 +595,6 @@ go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/zap v1.8.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -754,7 +722,6 @@ golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181117154741-2ddaf7f79a09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190221204921-83362c3779f5/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -767,7 +734,6 @@ golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20190521203540-521d6ed310dd/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= @@ -886,8 +852,6 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8= -honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k= honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.19.0 h1:XyrFIJqTYZJ2DU7FBE/bSPz7b1HvbVBuBf07oeo6eTc= @@ -930,5 +894,3 @@ sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4 h1:JPJh2pk3+X4lXAkZIk2RuE/7/FoK9maXw+TNPJhVS/c= -sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0= From 8df910361cc85213d5454d8c3badd764fc4c25f3 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Tue, 15 Sep 2020 14:10:46 -0500 Subject: [PATCH 32/32] Clean up CredentialRequest `types.go`. Mostly cleaned up and added doc strings, but also removed unneeded protobuf tags. Signed-off-by: Matt Moyer --- apis/pinniped/v1alpha1/types.go.tmpl | 27 +++++++++++-------- generated/1.17/README.adoc | 10 +++---- .../1.17/apis/pinniped/v1alpha1/types.go | 27 +++++++++++-------- .../client/openapi/zz_generated.openapi.go | 15 +++++++---- generated/1.18/README.adoc | 10 +++---- .../1.18/apis/pinniped/v1alpha1/types.go | 27 +++++++++++-------- .../client/openapi/zz_generated.openapi.go | 15 +++++++---- generated/1.19/README.adoc | 10 +++---- .../1.19/apis/pinniped/v1alpha1/types.go | 27 +++++++++++-------- .../client/openapi/zz_generated.openapi.go | 15 +++++++---- 10 files changed, 109 insertions(+), 74 deletions(-) diff --git a/apis/pinniped/v1alpha1/types.go.tmpl b/apis/pinniped/v1alpha1/types.go.tmpl index 0037021ea..420f14023 100644 --- a/apis/pinniped/v1alpha1/types.go.tmpl +++ b/apis/pinniped/v1alpha1/types.go.tmpl @@ -13,19 +13,23 @@ const ( TokenCredentialType = CredentialType("token") ) +// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. type CredentialRequestTokenCredential struct { // Value of the bearer token supplied with the credential request. - Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"` + Value string `json:"value,omitempty"` } +// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API type CredentialRequestSpec struct { // Type of credential. - Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"` + Type CredentialType `json:"type,omitempty"` // Token credential (when Type == TokenCredentialType). - Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"` + Token *CredentialRequestTokenCredential `json:"token,omitempty"` } +// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. type CredentialRequestCredential struct { // ExpirationTimestamp indicates a time when the provided credentials expire. ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` @@ -40,6 +44,7 @@ type CredentialRequestCredential struct { ClientKeyData string `json:"clientKeyData,omitempty"` } +// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. type CredentialRequestStatus struct { // A Credential will be returned for a successful credential request. // +optional @@ -50,25 +55,25 @@ type CredentialRequestStatus struct { Message *string `json:"message,omitempty"` } +// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - type CredentialRequest struct { metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` - Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Spec CredentialRequestSpec `json:"spec,omitempty"` + Status CredentialRequestStatus `json:"status,omitempty"` } -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialRequestList is a list of CredentialRequest objects. +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type CredentialRequestList struct { metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` - Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []CredentialRequest `json:"items"` } diff --git a/generated/1.17/README.adoc b/generated/1.17/README.adoc index 9d6cf898f..8015915a6 100644 --- a/generated/1.17/README.adoc +++ b/generated/1.17/README.adoc @@ -210,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequest"] ==== CredentialRequest - +CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. .Appears In: **** @@ -230,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequestcredential"] ==== CredentialRequestCredential - +CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. .Appears In: **** @@ -252,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequestspec"] ==== CredentialRequestSpec - +CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API .Appears In: **** @@ -270,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequeststatus"] ==== CredentialRequestStatus - +CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. .Appears In: **** @@ -288,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-17-apis-pinniped-v1alpha1-credentialrequesttokencredential"] ==== CredentialRequestTokenCredential - +CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. .Appears In: **** diff --git a/generated/1.17/apis/pinniped/v1alpha1/types.go b/generated/1.17/apis/pinniped/v1alpha1/types.go index 0037021ea..420f14023 100644 --- a/generated/1.17/apis/pinniped/v1alpha1/types.go +++ b/generated/1.17/apis/pinniped/v1alpha1/types.go @@ -13,19 +13,23 @@ const ( TokenCredentialType = CredentialType("token") ) +// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. type CredentialRequestTokenCredential struct { // Value of the bearer token supplied with the credential request. - Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"` + Value string `json:"value,omitempty"` } +// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API type CredentialRequestSpec struct { // Type of credential. - Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"` + Type CredentialType `json:"type,omitempty"` // Token credential (when Type == TokenCredentialType). - Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"` + Token *CredentialRequestTokenCredential `json:"token,omitempty"` } +// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. type CredentialRequestCredential struct { // ExpirationTimestamp indicates a time when the provided credentials expire. ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` @@ -40,6 +44,7 @@ type CredentialRequestCredential struct { ClientKeyData string `json:"clientKeyData,omitempty"` } +// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. type CredentialRequestStatus struct { // A Credential will be returned for a successful credential request. // +optional @@ -50,25 +55,25 @@ type CredentialRequestStatus struct { Message *string `json:"message,omitempty"` } +// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - type CredentialRequest struct { metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` - Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Spec CredentialRequestSpec `json:"spec,omitempty"` + Status CredentialRequestStatus `json:"status,omitempty"` } -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialRequestList is a list of CredentialRequest objects. +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type CredentialRequestList struct { metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` - Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []CredentialRequest `json:"items"` } diff --git a/generated/1.17/client/openapi/zz_generated.openapi.go b/generated/1.17/client/openapi/zz_generated.openapi.go index d74a7c8f0..90cf9920f 100644 --- a/generated/1.17/client/openapi/zz_generated.openapi.go +++ b/generated/1.17/client/openapi/zz_generated.openapi.go @@ -531,7 +531,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCal return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { SchemaProps: spec.SchemaProps{ @@ -574,7 +575,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestCredential(ref common.Re return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "expirationTimestamp": { SchemaProps: spec.SchemaProps{ @@ -662,7 +664,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestSpec(ref common.Referenc return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ @@ -689,7 +692,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestStatus(ref common.Refere return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "credential": { SchemaProps: spec.SchemaProps{ @@ -716,7 +720,8 @@ func schema_117_apis_pinniped_v1alpha1_CredentialRequestTokenCredential(ref comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "value": { SchemaProps: spec.SchemaProps{ diff --git a/generated/1.18/README.adoc b/generated/1.18/README.adoc index e78c5cd8a..3e7c5f74d 100644 --- a/generated/1.18/README.adoc +++ b/generated/1.18/README.adoc @@ -210,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequest"] ==== CredentialRequest - +CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. .Appears In: **** @@ -230,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequestcredential"] ==== CredentialRequestCredential - +CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. .Appears In: **** @@ -252,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequestspec"] ==== CredentialRequestSpec - +CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API .Appears In: **** @@ -270,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequeststatus"] ==== CredentialRequestStatus - +CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. .Appears In: **** @@ -288,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-18-apis-pinniped-v1alpha1-credentialrequesttokencredential"] ==== CredentialRequestTokenCredential - +CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. .Appears In: **** diff --git a/generated/1.18/apis/pinniped/v1alpha1/types.go b/generated/1.18/apis/pinniped/v1alpha1/types.go index 0037021ea..420f14023 100644 --- a/generated/1.18/apis/pinniped/v1alpha1/types.go +++ b/generated/1.18/apis/pinniped/v1alpha1/types.go @@ -13,19 +13,23 @@ const ( TokenCredentialType = CredentialType("token") ) +// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. type CredentialRequestTokenCredential struct { // Value of the bearer token supplied with the credential request. - Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"` + Value string `json:"value,omitempty"` } +// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API type CredentialRequestSpec struct { // Type of credential. - Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"` + Type CredentialType `json:"type,omitempty"` // Token credential (when Type == TokenCredentialType). - Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"` + Token *CredentialRequestTokenCredential `json:"token,omitempty"` } +// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. type CredentialRequestCredential struct { // ExpirationTimestamp indicates a time when the provided credentials expire. ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` @@ -40,6 +44,7 @@ type CredentialRequestCredential struct { ClientKeyData string `json:"clientKeyData,omitempty"` } +// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. type CredentialRequestStatus struct { // A Credential will be returned for a successful credential request. // +optional @@ -50,25 +55,25 @@ type CredentialRequestStatus struct { Message *string `json:"message,omitempty"` } +// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - type CredentialRequest struct { metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` - Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Spec CredentialRequestSpec `json:"spec,omitempty"` + Status CredentialRequestStatus `json:"status,omitempty"` } -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialRequestList is a list of CredentialRequest objects. +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type CredentialRequestList struct { metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` - Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []CredentialRequest `json:"items"` } diff --git a/generated/1.18/client/openapi/zz_generated.openapi.go b/generated/1.18/client/openapi/zz_generated.openapi.go index 89ffed825..522c15435 100644 --- a/generated/1.18/client/openapi/zz_generated.openapi.go +++ b/generated/1.18/client/openapi/zz_generated.openapi.go @@ -531,7 +531,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCal return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { SchemaProps: spec.SchemaProps{ @@ -574,7 +575,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestCredential(ref common.Re return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "expirationTimestamp": { SchemaProps: spec.SchemaProps{ @@ -662,7 +664,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestSpec(ref common.Referenc return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ @@ -689,7 +692,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestStatus(ref common.Refere return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "credential": { SchemaProps: spec.SchemaProps{ @@ -716,7 +720,8 @@ func schema_118_apis_pinniped_v1alpha1_CredentialRequestTokenCredential(ref comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "value": { SchemaProps: spec.SchemaProps{ diff --git a/generated/1.19/README.adoc b/generated/1.19/README.adoc index b6016dd2f..723765955 100644 --- a/generated/1.19/README.adoc +++ b/generated/1.19/README.adoc @@ -210,7 +210,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequest"] ==== CredentialRequest - +CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. .Appears In: **** @@ -230,7 +230,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequestcredential"] ==== CredentialRequestCredential - +CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. .Appears In: **** @@ -252,7 +252,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequestspec"] ==== CredentialRequestSpec - +CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API .Appears In: **** @@ -270,7 +270,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequeststatus"] ==== CredentialRequestStatus - +CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. .Appears In: **** @@ -288,7 +288,7 @@ Package v1alpha1 is the v1alpha1 version of the Pinniped aggregated API. [id="{anchor_prefix}-github-com-suzerain-io-pinniped-generated-1-19-apis-pinniped-v1alpha1-credentialrequesttokencredential"] ==== CredentialRequestTokenCredential - +CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. .Appears In: **** diff --git a/generated/1.19/apis/pinniped/v1alpha1/types.go b/generated/1.19/apis/pinniped/v1alpha1/types.go index 0037021ea..420f14023 100644 --- a/generated/1.19/apis/pinniped/v1alpha1/types.go +++ b/generated/1.19/apis/pinniped/v1alpha1/types.go @@ -13,19 +13,23 @@ const ( TokenCredentialType = CredentialType("token") ) +// CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider. type CredentialRequestTokenCredential struct { // Value of the bearer token supplied with the credential request. - Value string `json:"value,omitempty" protobuf:"bytes,1,opt,name=value"` + Value string `json:"value,omitempty"` } +// CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API type CredentialRequestSpec struct { // Type of credential. - Type CredentialType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"` + Type CredentialType `json:"type,omitempty"` // Token credential (when Type == TokenCredentialType). - Token *CredentialRequestTokenCredential `json:"token,omitempty" protobuf:"bytes,2,opt,name=token"` + Token *CredentialRequestTokenCredential `json:"token,omitempty"` } +// CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It +// contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster. type CredentialRequestCredential struct { // ExpirationTimestamp indicates a time when the provided credentials expire. ExpirationTimestamp metav1.Time `json:"expirationTimestamp,omitempty"` @@ -40,6 +44,7 @@ type CredentialRequestCredential struct { ClientKeyData string `json:"clientKeyData,omitempty"` } +// CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API. type CredentialRequestStatus struct { // A Credential will be returned for a successful credential request. // +optional @@ -50,25 +55,25 @@ type CredentialRequestStatus struct { Message *string `json:"message,omitempty"` } +// CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential. // +genclient // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - type CredentialRequest struct { metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ObjectMeta `json:"metadata,omitempty"` - Spec CredentialRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status CredentialRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` + Spec CredentialRequestSpec `json:"spec,omitempty"` + Status CredentialRequestStatus `json:"status,omitempty"` } -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // CredentialRequestList is a list of CredentialRequest objects. +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type CredentialRequestList struct { metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + metav1.ListMeta `json:"metadata,omitempty"` - Items []CredentialRequest `json:"items" protobuf:"bytes,2,rep,name=items"` + Items []CredentialRequest `json:"items"` } diff --git a/generated/1.19/client/openapi/zz_generated.openapi.go b/generated/1.19/client/openapi/zz_generated.openapi.go index 284b45c60..55f7d42a3 100644 --- a/generated/1.19/client/openapi/zz_generated.openapi.go +++ b/generated/1.19/client/openapi/zz_generated.openapi.go @@ -532,7 +532,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequest(ref common.ReferenceCal return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequest submits an IDP-specific credential to Pinniped in exchange for a cluster-specific credential.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "kind": { SchemaProps: spec.SchemaProps{ @@ -575,7 +576,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequestCredential(ref common.Re return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestCredential is the cluster-specific credential returned on a successful CredentialRequest. It contains either a valid bearer token or a valid TLS certificate and corresponding private key for the cluster.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "expirationTimestamp": { SchemaProps: spec.SchemaProps{ @@ -663,7 +665,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequestSpec(ref common.Referenc return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestSpec is the specification of a CredentialRequest, expected on requests to the Pinniped API", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "type": { SchemaProps: spec.SchemaProps{ @@ -690,7 +693,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequestStatus(ref common.Refere return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestStatus is the status of a CredentialRequest, returned on responses to the Pinniped API.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "credential": { SchemaProps: spec.SchemaProps{ @@ -717,7 +721,8 @@ func schema_119_apis_pinniped_v1alpha1_CredentialRequestTokenCredential(ref comm return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Type: []string{"object"}, + Description: "CredentialRequestTokenCredential holds a bearer token issued by an upstream identity provider.", + Type: []string{"object"}, Properties: map[string]spec.Schema{ "value": { SchemaProps: spec.SchemaProps{